Search in sources :

Example 31 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class SingleLogoutManager method sendLogoutResponse.

/**
     * Sends logout response, this is for the case of HTTP binding
     * There are two cases here:
     * 1. IDP initiated HTTP Logout, just redirect user browser to original
     *    relaystate.
     * 2. SP initiated HTTP logout, need to send LogoutResponse back to SP.
     */
void sendLogoutResponse(HttpServletRequest request, HttpServletResponse response, String relayState) throws IOException {
    if (debug.messageEnabled()) {
        debug.message("SingleLogoutManager.sendLogoutResponse: relaystate=" + relayState);
    }
    String logoutResponseXML = (String) sloResponseXMLMap.get(relayState);
    if (logoutResponseXML == null) {
        // first case, just redirect to original relayState
        String origRelayState = (String) relayStateMap.get(relayState);
        int logoutStatus = ((Integer) currentStatusMap.get(relayState)).intValue();
        String statusString = MultiProtocolUtils.getLogoutStatus(logoutStatus);
        if ((origRelayState == null) || (origRelayState.length() == 0)) {
            // TODO : get default single logout URL for each protocol
            response.getWriter().print("Logout DONE. Status = " + statusString);
        } else {
            // include logout status
            if (origRelayState.indexOf("?") == -1) {
                response.sendRedirect(origRelayState + "?" + SingleLogoutManager.STATUS_PARAM + "=" + statusString);
            } else {
                response.sendRedirect(origRelayState + "&" + SingleLogoutManager.STATUS_PARAM + "=" + statusString);
            }
        }
    } else {
        String protocol = (String) origProtocolMap.get(relayState);
        String spEntityID = (String) spEntityIDMap.get(relayState);
        String origRelayState = (String) relayStateMap.get(relayState);
        String realm = (String) realmMap.get(relayState);
        String idpEntityID = (String) idpEntityIDMap.get(relayState);
        int currentStatus = ((Integer) currentStatusMap.get(relayState)).intValue();
        if (protocol.equals(SingleLogoutManager.SAML2)) {
            try {
                LogoutResponse logResp = ProtocolFactory.getInstance().createLogoutResponse(logoutResponseXML);
                String location = logResp.getDestination();
                String statusVal = logResp.getStatus().getStatusCode().getValue();
                String newVal = getNewStatusCode(currentStatus, statusVal);
                if (!statusVal.equals(newVal)) {
                    logResp.getStatus().getStatusCode().setValue(statusVal);
                }
                if (debug.messageEnabled()) {
                    debug.message("SingleLogoutManager.sendLogoutRes:" + "(SAML2) location=" + location + " orig status=" + statusVal + ", new status=" + newVal + ", orig relay=" + origRelayState + ", realm=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID);
                }
                LogoutUtil.sendSLOResponse(response, logResp, location, origRelayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, spEntityID);
            } catch (SAML2Exception ex) {
                debug.error("SingleLogoutManager.sendLogoutResponse:saml2", ex);
                throw new IOException(ex.getMessage());
            }
        } else if (protocol.equals(SingleLogoutManager.IDFF)) {
            boolean failed = false;
            String logoutDoneURL = null;
            try {
                debug.message("SingleLogoutManager.sendLogoutResp: IDFF");
                IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
                ProviderDescriptorType descriptor = metaManager.getSPDescriptor(realm, spEntityID);
                String retURL = descriptor.getSingleLogoutServiceReturnURL();
                Element elem = XMLUtils.toDOMDocument(logoutResponseXML, SingleLogoutManager.debug).getDocumentElement();
                FSLogoutResponse responseLogout = new FSLogoutResponse(elem);
                BaseConfigType hostedConfig = metaManager.getIDPDescriptorConfig(realm, idpEntityID);
                logoutDoneURL = FSServiceUtils.getLogoutDonePageURL(request, hostedConfig, null);
                Status status = responseLogout.getStatus();
                String statusVal = status.getStatusCode().getValue();
                String newVal = getNewStatusCode(currentStatus, statusVal);
                if (!statusVal.equals(newVal)) {
                    com.sun.identity.saml.protocol.StatusCode statCode = new com.sun.identity.saml.protocol.StatusCode(newVal);
                    com.sun.identity.saml.protocol.Status stat = new com.sun.identity.saml.protocol.Status(statCode);
                    responseLogout.setStatus(stat);
                }
                if (debug.messageEnabled()) {
                    debug.message("SingleLogoutManager.sendLogoutRes:" + "(IDFF) orig status=" + statusVal + ", new status=" + newVal + ", orig relay=" + origRelayState + ", logout done URL=" + logoutDoneURL + ", realm=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID);
                }
                String urlEncodedResponse = responseLogout.toURLEncodedQueryString();
                // Sign the request querystring
                if (FSServiceUtils.isSigningOn()) {
                    String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
                    if (certAlias == null || certAlias.length() == 0) {
                        if (debug.messageEnabled()) {
                            debug.message("SingleLogoutManager.sendLogoutRes:" + "signSAMLRequest couldn't obtain cert alias.");
                        }
                        throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS));
                    } else {
                        urlEncodedResponse = FSSignatureUtil.signAndReturnQueryString(urlEncodedResponse, certAlias);
                    }
                }
                StringBuffer redirectURL = new StringBuffer();
                redirectURL.append(retURL);
                if (retURL.indexOf(IFSConstants.QUESTION_MARK) == -1) {
                    redirectURL.append(IFSConstants.QUESTION_MARK);
                } else {
                    redirectURL.append(IFSConstants.AMPERSAND);
                }
                redirectURL.append(urlEncodedResponse);
                if (debug.messageEnabled()) {
                    debug.message("SingleLogoutManager.sendResponse " + "for IDFF, url = " + redirectURL.toString());
                }
                response.sendRedirect(redirectURL.toString());
            } catch (FSMsgException ex) {
                debug.error("SingleLogoutManager.sendLogoutRes", ex);
                failed = true;
            } catch (SAMLException ex) {
                debug.error("SingleLogoutManager.sendLogoutRes", ex);
                failed = true;
                ;
            } catch (IDFFMetaException ex) {
                debug.error("SingleLogoutManager.sendLogoutRes", ex);
                failed = true;
            } catch (IOException ex) {
                debug.error("SingleLogoutManager.sendLogoutRes", ex);
                failed = true;
            }
            if (failed) {
                FSServiceUtils.returnLocallyAfterOperation(response, logoutDoneURL, false, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
            }
        } else if (protocol.equals(SingleLogoutManager.WS_FED)) {
            debug.message("SingleLogoutManager.sendLogoutResponse: WSFED");
            if (origRelayState != null) {
                response.sendRedirect(origRelayState);
            } else {
                response.getWriter().print("Logout DONE.");
            }
        } else {
            // should never come here
            debug.error("SingleLogoutManager.sendLogoutResponse: invalid" + " protocol : " + protocol);
        }
    }
    cleanupParameters(relayState);
    return;
}
Also used : Element(org.w3c.dom.Element) SAMLException(com.sun.identity.saml.common.SAMLException) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) Status(com.sun.identity.saml.protocol.Status) Status(com.sun.identity.saml.protocol.Status) FSMsgException(com.sun.identity.federation.message.common.FSMsgException) FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse) LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType) IOException(java.io.IOException) FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 32 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class Request method signXML.

/**
     * Method to sign the Request.
     * @exception SAMLException if could not sign the Request.
     */
public void signXML() throws SAMLException {
    if (signed) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("Request.signXML: the request is " + "already signed.");
        }
        throw new SAMLException(SAMLUtils.bundle.getString("alreadySigned"));
    }
    String certAlias = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
    if (certAlias == null) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("Request.signXML: couldn't obtain " + "this site's cert Alias.");
        }
        throw new SAMLResponderException(SAMLUtils.bundle.getString("cannotFindCertAlias"));
    }
    XMLSignatureManager manager = XMLSignatureManager.getInstance();
    if ((majorVersion == 1) && (minorVersion == 0)) {
        SAMLUtils.debug.message("Request.signXML: sign with version 1.0");
        signatureString = manager.signXML(this.toString(true, true), certAlias);
        // this block is used for later return of signature element by
        // getSignature() method
        signature = XMLUtils.toDOMDocument(signatureString, SAMLUtils.debug).getDocumentElement();
    } else {
        Document doc = XMLUtils.toDOMDocument(this.toString(true, true), SAMLUtils.debug);
        // sign with SAML 1.1 spec & include cert in KeyInfo
        signature = manager.signXML(doc, certAlias, null, REQUEST_ID_ATTRIBUTE, getRequestID(), true, null);
        signatureString = XMLUtils.print(signature);
    }
    signed = true;
    xmlString = this.toString(true, true);
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) SAMLException(com.sun.identity.saml.common.SAMLException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 33 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class Request method parseQuery.

/**
     * This method parses the Query or SubjectQuery represented by a DOM tree
     * Node. It then checks and sets data members if it is a supported query,
     * such as AuthenticationQuery, AttributeQeury, or 
     * <code>AuthorizationDecisionQuery</code>.
     * @param child A DOM Node to be parsed.
     * @exception SAMLException if it's not a supported query.
     */
private void parseQuery(Node child) throws SAMLException {
    NamedNodeMap nm = child.getAttributes();
    int len = nm.getLength();
    String attrName;
    String attrValue;
    Attr attr;
    boolean found = false;
    for (int j = 0; j < len; j++) {
        attr = (Attr) nm.item(j);
        attrName = attr.getLocalName();
        if ((attrName != null) && (attrName.equals("type"))) {
            attrValue = attr.getNodeValue();
            if (attrValue.equals("AuthenticationQueryType")) {
                if (contentType != NOT_SUPPORTED) {
                    if (SAMLUtils.debug.messageEnabled()) {
                        SAMLUtils.debug.message("Request(Element): should" + " contain only one AuthenticationQuery.");
                    }
                    throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
                }
                contentType = AUTHENTICATION_QUERY;
                query = new AuthenticationQuery((Element) child);
            } else if (attrValue.equals("AuthorizationDecisionQueryType")) {
                if (contentType != NOT_SUPPORTED) {
                    if (SAMLUtils.debug.messageEnabled()) {
                        SAMLUtils.debug.message("Request(Element): should " + "contain one AuthorizationDecisionQuery.");
                    }
                    throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
                }
                contentType = AUTHORIZATION_DECISION_QUERY;
                query = new AuthorizationDecisionQuery((Element) child);
            } else if (attrValue.equals("AttributeQueryType")) {
                if (contentType != NOT_SUPPORTED) {
                    if (SAMLUtils.debug.messageEnabled()) {
                        SAMLUtils.debug.message("Request(Element): should " + "contain one AttributeQuery.");
                    }
                    throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
                }
                contentType = ATTRIBUTE_QUERY;
                query = new AttributeQuery((Element) child);
            } else {
                if (SAMLUtils.debug.messageEnabled()) {
                    SAMLUtils.debug.message("Request(Element): This type of" + " " + attrName + " is not supported.");
                }
                throw new SAMLResponderException(SAMLUtils.bundle.getString("queryNotSupported"));
            }
            // check typevalue
            found = true;
            break;
        }
    // if found type attribute
    }
    // if not found type
    if (!found) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("Request(Element): missing" + " xsi:type definition in " + child.getLocalName());
        }
        throw new SAMLRequesterException(SAMLUtils.bundle.getString("wrongInput"));
    }
}
Also used : NamedNodeMap(org.w3c.dom.NamedNodeMap) Element(org.w3c.dom.Element) SAMLRequesterException(com.sun.identity.saml.common.SAMLRequesterException) Attr(org.w3c.dom.Attr) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Example 34 with SAMLResponderException

use of com.sun.identity.saml.common.SAMLResponderException in project OpenAM by OpenRock.

the class Response method signXML.

/**
     * Method that signs the Response.
     *
     * @exception SAMLException if could not sign the Response.
     */
public void signXML() throws SAMLException {
    if (signed) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("Response.signXML: the response is " + "already signed.");
        }
        throw new SAMLException(SAMLUtils.bundle.getString("alreadySigned"));
    }
    String certAlias = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
    if (certAlias == null) {
        if (SAMLUtils.debug.messageEnabled()) {
            SAMLUtils.debug.message("Response.signXML: couldn't obtain " + "this site's cert alias.");
        }
        throw new SAMLResponderException(SAMLUtils.bundle.getString("cannotFindCertAlias"));
    }
    XMLSignatureManager manager = XMLSignatureManager.getInstance();
    if ((majorVersion == 1) && (minorVersion == 0)) {
        SAMLUtils.debug.message("Request.signXML: sign with version 1.0");
        signatureString = manager.signXML(this.toString(true, true), certAlias);
        // this block is used for later return of signature element by
        // getSignature() method
        signature = XMLUtils.toDOMDocument(signatureString, SAMLUtils.debug).getDocumentElement();
    } else {
        Document doc = XMLUtils.toDOMDocument(this.toString(true, true), SAMLUtils.debug);
        // sign with SAML 1.1 spec & include cert in KeyInfo
        signature = manager.signXML(doc, certAlias, null, RESPONSE_ID_ATTRIBUTE, getResponseID(), true, null);
        signatureString = XMLUtils.print(signature);
    }
    signed = true;
    xmlString = this.toString(true, true);
}
Also used : XMLSignatureManager(com.sun.identity.saml.xmlsig.XMLSignatureManager) Document(org.w3c.dom.Document) SAMLException(com.sun.identity.saml.common.SAMLException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)

Aggregations

SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)34 SAMLException (com.sun.identity.saml.common.SAMLException)22 XMLSignatureManager (com.sun.identity.saml.xmlsig.XMLSignatureManager)21 FSMsgException (com.sun.identity.federation.message.common.FSMsgException)15 IOException (java.io.IOException)9 X509Certificate (java.security.cert.X509Certificate)9 ParseException (java.text.ParseException)9 Document (org.w3c.dom.Document)8 SessionException (com.sun.identity.plugin.session.SessionException)7 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)6 SAMLVersionMismatchException (com.sun.identity.saml.common.SAMLVersionMismatchException)5 Element (org.w3c.dom.Element)5 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)4 FSLogoutResponse (com.sun.identity.federation.message.FSLogoutResponse)4 HashMap (java.util.HashMap)4 ProviderDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)3 FSException (com.sun.identity.federation.common.FSException)2 FSSOAPService (com.sun.identity.federation.services.FSSOAPService)2 SAMLRequesterException (com.sun.identity.saml.common.SAMLRequesterException)2 List (java.util.List)2