Example 31 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class SingleLogoutManager method sendLogoutResponse.
/**
* Sends logout response, this is for the case of HTTP binding
* There are two cases here:
* 1. IDP initiated HTTP Logout, just redirect user browser to original
* relaystate.
* 2. SP initiated HTTP logout, need to send LogoutResponse back to SP.
*/
void sendLogoutResponse(HttpServletRequest request, HttpServletResponse response, String relayState) throws IOException {
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.sendLogoutResponse: relaystate=" + relayState);
}
String logoutResponseXML = (String) sloResponseXMLMap.get(relayState);
if (logoutResponseXML == null) {
// first case, just redirect to original relayState
String origRelayState = (String) relayStateMap.get(relayState);
int logoutStatus = ((Integer) currentStatusMap.get(relayState)).intValue();
String statusString = MultiProtocolUtils.getLogoutStatus(logoutStatus);
if ((origRelayState == null) || (origRelayState.length() == 0)) {
// TODO : get default single logout URL for each protocol
response.getWriter().print("Logout DONE. Status = " + statusString);
} else {
// include logout status
if (origRelayState.indexOf("?") == -1) {
response.sendRedirect(origRelayState + "?" + SingleLogoutManager.STATUS_PARAM + "=" + statusString);
} else {
response.sendRedirect(origRelayState + "&" + SingleLogoutManager.STATUS_PARAM + "=" + statusString);
}
}
} else {
String protocol = (String) origProtocolMap.get(relayState);
String spEntityID = (String) spEntityIDMap.get(relayState);
String origRelayState = (String) relayStateMap.get(relayState);
String realm = (String) realmMap.get(relayState);
String idpEntityID = (String) idpEntityIDMap.get(relayState);
int currentStatus = ((Integer) currentStatusMap.get(relayState)).intValue();
if (protocol.equals(SingleLogoutManager.SAML2)) {
try {
LogoutResponse logResp = ProtocolFactory.getInstance().createLogoutResponse(logoutResponseXML);
String location = logResp.getDestination();
String statusVal = logResp.getStatus().getStatusCode().getValue();
String newVal = getNewStatusCode(currentStatus, statusVal);
if (!statusVal.equals(newVal)) {
logResp.getStatus().getStatusCode().setValue(statusVal);
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.sendLogoutRes:" + "(SAML2) location=" + location + " orig status=" + statusVal + ", new status=" + newVal + ", orig relay=" + origRelayState + ", realm=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID);
}
LogoutUtil.sendSLOResponse(response, logResp, location, origRelayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, spEntityID);
} catch (SAML2Exception ex) {
debug.error("SingleLogoutManager.sendLogoutResponse:saml2", ex);
throw new IOException(ex.getMessage());
}
} else if (protocol.equals(SingleLogoutManager.IDFF)) {
boolean failed = false;
String logoutDoneURL = null;
try {
debug.message("SingleLogoutManager.sendLogoutResp: IDFF");
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
ProviderDescriptorType descriptor = metaManager.getSPDescriptor(realm, spEntityID);
String retURL = descriptor.getSingleLogoutServiceReturnURL();
Element elem = XMLUtils.toDOMDocument(logoutResponseXML, SingleLogoutManager.debug).getDocumentElement();
FSLogoutResponse responseLogout = new FSLogoutResponse(elem);
BaseConfigType hostedConfig = metaManager.getIDPDescriptorConfig(realm, idpEntityID);
logoutDoneURL = FSServiceUtils.getLogoutDonePageURL(request, hostedConfig, null);
Status status = responseLogout.getStatus();
String statusVal = status.getStatusCode().getValue();
String newVal = getNewStatusCode(currentStatus, statusVal);
if (!statusVal.equals(newVal)) {
com.sun.identity.saml.protocol.StatusCode statCode = new com.sun.identity.saml.protocol.StatusCode(newVal);
com.sun.identity.saml.protocol.Status stat = new com.sun.identity.saml.protocol.Status(statCode);
responseLogout.setStatus(stat);
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.sendLogoutRes:" + "(IDFF) orig status=" + statusVal + ", new status=" + newVal + ", orig relay=" + origRelayState + ", logout done URL=" + logoutDoneURL + ", realm=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID);
}
String urlEncodedResponse = responseLogout.toURLEncodedQueryString();
// Sign the request querystring
if (FSServiceUtils.isSigningOn()) {
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null || certAlias.length() == 0) {
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.sendLogoutRes:" + "signSAMLRequest couldn't obtain cert alias.");
}
throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS));
} else {
urlEncodedResponse = FSSignatureUtil.signAndReturnQueryString(urlEncodedResponse, certAlias);
}
}
StringBuffer redirectURL = new StringBuffer();
redirectURL.append(retURL);
if (retURL.indexOf(IFSConstants.QUESTION_MARK) == -1) {
redirectURL.append(IFSConstants.QUESTION_MARK);
} else {
redirectURL.append(IFSConstants.AMPERSAND);
}
redirectURL.append(urlEncodedResponse);
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.sendResponse " + "for IDFF, url = " + redirectURL.toString());
}
response.sendRedirect(redirectURL.toString());
} catch (FSMsgException ex) {
debug.error("SingleLogoutManager.sendLogoutRes", ex);
failed = true;
} catch (SAMLException ex) {
debug.error("SingleLogoutManager.sendLogoutRes", ex);
failed = true;
;
} catch (IDFFMetaException ex) {
debug.error("SingleLogoutManager.sendLogoutRes", ex);
failed = true;
} catch (IOException ex) {
debug.error("SingleLogoutManager.sendLogoutRes", ex);
failed = true;
}
if (failed) {
FSServiceUtils.returnLocallyAfterOperation(response, logoutDoneURL, false, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
}
} else if (protocol.equals(SingleLogoutManager.WS_FED)) {
debug.message("SingleLogoutManager.sendLogoutResponse: WSFED");
if (origRelayState != null) {
response.sendRedirect(origRelayState);
} else {
response.getWriter().print("Logout DONE.");
}
} else {
// should never come here
debug.error("SingleLogoutManager.sendLogoutResponse: invalid" + " protocol : " + protocol);
}
}
cleanupParameters(relayState);
return;
}
Also used :
Element(org.w3c.dom.Element)
SAMLException(com.sun.identity.saml.common.SAMLException)
BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)
Status(com.sun.identity.saml.protocol.Status)
Status(com.sun.identity.saml.protocol.Status)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse)
LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)
IOException(java.io.IOException)
FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 32 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class Request method signXML.
/**
* Method to sign the Request.
* @exception SAMLException if could not sign the Request.
*/
public void signXML() throws SAMLException {
if (signed) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request.signXML: the request is " + "already signed.");
}
throw new SAMLException(SAMLUtils.bundle.getString("alreadySigned"));
}
String certAlias = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
if (certAlias == null) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request.signXML: couldn't obtain " + "this site's cert Alias.");
}
throw new SAMLResponderException(SAMLUtils.bundle.getString("cannotFindCertAlias"));
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if ((majorVersion == 1) && (minorVersion == 0)) {
SAMLUtils.debug.message("Request.signXML: sign with version 1.0");
signatureString = manager.signXML(this.toString(true, true), certAlias);
// this block is used for later return of signature element by
// getSignature() method
signature = XMLUtils.toDOMDocument(signatureString, SAMLUtils.debug).getDocumentElement();
} else {
Document doc = XMLUtils.toDOMDocument(this.toString(true, true), SAMLUtils.debug);
// sign with SAML 1.1 spec & include cert in KeyInfo
signature = manager.signXML(doc, certAlias, null, REQUEST_ID_ATTRIBUTE, getRequestID(), true, null);
signatureString = XMLUtils.print(signature);
}
signed = true;
xmlString = this.toString(true, true);
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
SAMLException(com.sun.identity.saml.common.SAMLException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 33 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class Request method parseQuery.
/**
* This method parses the Query or SubjectQuery represented by a DOM tree
* Node. It then checks and sets data members if it is a supported query,
* such as AuthenticationQuery, AttributeQeury, or
* <code>AuthorizationDecisionQuery</code>.
* @param child A DOM Node to be parsed.
* @exception SAMLException if it's not a supported query.
*/
private void parseQuery(Node child) throws SAMLException {
NamedNodeMap nm = child.getAttributes();
int len = nm.getLength();
String attrName;
String attrValue;
Attr attr;
boolean found = false;
for (int j = 0; j < len; j++) {
attr = (Attr) nm.item(j);
attrName = attr.getLocalName();
if ((attrName != null) && (attrName.equals("type"))) {
attrValue = attr.getNodeValue();
if (attrValue.equals("AuthenticationQueryType")) {
if (contentType != NOT_SUPPORTED) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request(Element): should" + " contain only one AuthenticationQuery.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = AUTHENTICATION_QUERY;
query = new AuthenticationQuery((Element) child);
} else if (attrValue.equals("AuthorizationDecisionQueryType")) {
if (contentType != NOT_SUPPORTED) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request(Element): should " + "contain one AuthorizationDecisionQuery.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = AUTHORIZATION_DECISION_QUERY;
query = new AuthorizationDecisionQuery((Element) child);
} else if (attrValue.equals("AttributeQueryType")) {
if (contentType != NOT_SUPPORTED) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request(Element): should " + "contain one AttributeQuery.");
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
contentType = ATTRIBUTE_QUERY;
query = new AttributeQuery((Element) child);
} else {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request(Element): This type of" + " " + attrName + " is not supported.");
}
throw new SAMLResponderException(SAMLUtils.bundle.getString("queryNotSupported"));
}
// check typevalue
found = true;
break;
}
// if found type attribute
}
// if not found type
if (!found) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Request(Element): missing" + " xsi:type definition in " + child.getLocalName());
}
throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
}
}
Also used :
NamedNodeMap(org.w3c.dom.NamedNodeMap)
Element(org.w3c.dom.Element)
SAMLRequesterException(com.sun.identity.saml.common.SAMLRequesterException)
Attr(org.w3c.dom.Attr)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Example 34 with SAMLResponderException
use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.
the class Response method signXML.
/**
* Method that signs the Response.
*
* @exception SAMLException if could not sign the Response.
*/
public void signXML() throws SAMLException {
if (signed) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Response.signXML: the response is " + "already signed.");
}
throw new SAMLException(SAMLUtils.bundle.getString("alreadySigned"));
}
String certAlias = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
if (certAlias == null) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("Response.signXML: couldn't obtain " + "this site's cert alias.");
}
throw new SAMLResponderException(SAMLUtils.bundle.getString("cannotFindCertAlias"));
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if ((majorVersion == 1) && (minorVersion == 0)) {
SAMLUtils.debug.message("Request.signXML: sign with version 1.0");
signatureString = manager.signXML(this.toString(true, true), certAlias);
// this block is used for later return of signature element by
// getSignature() method
signature = XMLUtils.toDOMDocument(signatureString, SAMLUtils.debug).getDocumentElement();
} else {
Document doc = XMLUtils.toDOMDocument(this.toString(true, true), SAMLUtils.debug);
// sign with SAML 1.1 spec & include cert in KeyInfo
signature = manager.signXML(doc, certAlias, null, RESPONSE_ID_ATTRIBUTE, getResponseID(), true, null);
signatureString = XMLUtils.print(signature);
}
signed = true;
xmlString = this.toString(true, true);
}
Also used :
XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager)
Document(org.w3c.dom.Document)
SAMLException(com.sun.identity.saml.common.SAMLException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
Aggregations
SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)34
SAMLException (com.sun.identity.saml.common.SAMLException)22
XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)21
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15
IOException (java.io.IOException)9
X509Certificate (java.security.cert.X509Certificate)9
ParseException (java.text.ParseException)9
Document (org.w3c.dom.Document)8
SessionException (com.sun.identity.plugin.session.SessionException)7
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)6
SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5
Element (org.w3c.dom.Element)5
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)4
FSLogoutResponse (com.sun.identity.federation.message.FSLogoutResponse)4
HashMap (java.util.HashMap)4
ProviderDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)3
FSException (com.sun.identity.federation.common.FSException)2
FSSOAPService (com.sun.identity.federation.services.FSSOAPService)2
SAMLRequesterException (com.sun.identity.saml.common.SAMLRequesterException)2
List (java.util.List)2
