use of com.sun.identity.saml.protocol.Status in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method doSingleSignOn.
protected boolean doSingleSignOn(Object ssoToken, String inResponseTo) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn(2): Called");
try {
String securityDomain = authnRequest.getProviderId();
String affiliationID = authnRequest.getAffiliationID();
if (affiliationID != null) {
securityDomain = affiliationID;
}
SessionProvider sessionProvider = SessionManager.getProvider();
String userID = sessionProvider.getPrincipalName(ssoToken);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn: " + "Initiating SSO for user with ID: " + userID);
}
FSAccountFedInfo accountInfo = accountManager.readAccountFedInfo(userID, securityDomain);
if (accountInfo == null) {
FSUtils.debug.error("FSSSOAndFedHandler.doSingleSignOn: Account Federation " + "Information not found for user with ID: " + userID);
noFedStatus = new Status(new StatusCode("samlp:Responder", new StatusCode("lib:FederationDoesNotExist", null)), FSUtils.bundle.getString("AuthnRequestProcessingFailed"), null);
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.USER_ACCOUNT_FEDERATION_INFO_NOT_FOUND, data, ssoToken);
return false;
}
if (accountInfo != null && accountInfo.isFedStatusActive() && accountInfo.getLocalNameIdentifier() != null) {
// Check if this is 6.2
NameIdentifier localNI = accountInfo.getLocalNameIdentifier();
String qualifier = localNI.getNameQualifier();
if (qualifier != null && qualifier.equals(hostedEntityId)) {
localNI = new NameIdentifier(localNI.getName(), securityDomain);
NameIdentifier remoteNI = accountInfo.getRemoteNameIdentifier();
if (remoteNI != null) {
remoteNI = new NameIdentifier(remoteNI.getName(), securityDomain);
}
FSAccountFedInfoKey newFedKey = new FSAccountFedInfoKey(securityDomain, localNI.getName());
accountInfo = new FSAccountFedInfo(securityDomain, localNI, remoteNI, false);
accountManager.writeAccountFedInfo(userID, newFedKey, accountInfo);
FSAccountFedInfoKey oldFedKey = new FSAccountFedInfoKey(hostedEntityId, localNI.getName());
accountManager.removeAccountFedInfoKey(userID, oldFedKey);
}
}
NameIdentifier idpNI = accountInfo.getLocalNameIdentifier();
if (idpNI == null) {
idpNI = accountInfo.getRemoteNameIdentifier();
if (idpNI == null) {
FSUtils.debug.error("FSSSOAndFedHandler.doSingleSignOn: " + "NameIdentifier not found");
return false;
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn: " + "IDP generated opaque handle: " + idpNI.getName());
}
}
NameIdentifier spNI = accountInfo.getRemoteNameIdentifier();
if (spNI == null) {
spNI = idpNI;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn: " + "SP generated opaque handle: " + spNI.getName());
}
}
return doSingleSignOn(ssoToken, inResponseTo, spNI, idpNI);
} catch (Exception e) {
FSUtils.debug.error("FSSSOAndFedHandler.doSingleSignOn: " + "Exception during Single Sign-On:", e);
return false;
}
}
use of com.sun.identity.saml.protocol.Status in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method processPreAuthnSSO.
/**
* Handles authentication request.
* @param authnRequest <code>FSAuthnRequest</code> object
* @return <code>true</code> if the request is handled successfully;
* <code>false</code> otherwise.
*/
public boolean processPreAuthnSSO(FSAuthnRequest authnRequest) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: Called");
String loginURL = null;
List authenticationContextClassRef = null;
String currentAuthnContextRef = null;
String authType = null;
FSAuthContextResult authnResult = null;
FSSessionManager sessionMgr = FSSessionManager.getInstance(metaAlias);
if (authnRequest.getAuthnContext() != null) {
authenticationContextClassRef = authnRequest.getAuthnContext().getAuthnContextClassRefList();
if (authenticationContextClassRef == null) {
String authCtxRefDefault = IFSConstants.DEFAULT_AUTHNCONTEXT_PASSWORD;
authenticationContextClassRef = new ArrayList();
authenticationContextClassRef.add(authCtxRefDefault);
}
authType = authnRequest.getAuthContextCompType();
currentAuthnContextRef = null;
}
boolean authenticated = true;
Object ssoToken = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
ssoToken = sessionProvider.getSession(request);
if (ssoToken == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "session is null. User is not authenticated.");
}
authenticated = false;
} else if (!sessionProvider.isValid(ssoToken)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "session is not valid. User is not authenticated.");
}
authenticated = false;
} else {
FSSession ssoSession = sessionMgr.getSession(ssoToken);
if (ssoSession != null) {
currentAuthnContextRef = ssoSession.getAuthnContext();
if (currentAuthnContextRef != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User has an existing " + "valid session with authnContext: " + currentAuthnContextRef);
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's authentication" + " context information not found using " + "default authentication context");
}
currentAuthnContextRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.process" + "PreAuthnSSO: User's authenticated session " + "information is not present in FSSessionManager. " + "using default authentication context");
}
currentAuthnContextRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
}
authenticated = true;
}
if (authenticated) {
// added in case of multiple SPs
try {
sessionProvider.addListener(ssoToken, new FSTokenListener(metaAlias));
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "Couldn't add listener to session:", e);
}
}
}
} catch (SessionException se) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "SSOException Occured: User does not have session " + se.getMessage());
authenticated = false;
}
//Initiate proxying
if (!authenticated) {
try {
boolean isProxy = isIDPProxyEnabled(authnRequest);
if (isProxy && !authnRequest.getFederate()) {
String preferredIDP = getPreferredIDP(authnRequest);
if (preferredIDP != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.process" + "PreAuthnSSO:IDP to be proxied" + preferredIDP);
}
sendProxyAuthnRequest(authnRequest, preferredIDP);
return true;
}
//else continue for the local authentication.
}
} catch (FSRedirectException re) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandle.processPreAuthnSSO:" + "Redirecting for the proxy handling.");
}
return true;
} catch (Exception ex) {
FSUtils.debug.error("FSSSOAndFedHandler.processPreAuthnSSO:" + "Exception occured while processing for the proxy.", ex);
return false;
}
}
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "User's authentication status: " + authenticated);
}
FSAuthnDecisionHandler authnDecisionHandler = new FSAuthnDecisionHandler(realm, hostedEntityId, request);
List defAuthnCxtList = new ArrayList();
defAuthnCxtList.add(IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.DEFAULT_AUTHNCONTEXT));
if (authnRequest.getIsPassive()) {
if (authnRequest.getForceAuthn()) {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSSSOAndFedHandler.PreAuthnSSO: " + "IDP is passive can't force authentication.");
}
return false;
} else {
if (authenticated) {
if (authenticationContextClassRef != null) {
authnResult = authnDecisionHandler.decideAuthnContext(authenticationContextClassRef, currentAuthnContextRef, authType);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication context is default");
}
authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList, authType);
}
if (authnResult == null) {
return false;
}
if (authnResult.getLoginURL() != null) {
// When it's not null.,
// we should show the login page
// may be it'asking for higher auth context.
loginURL = authnResult.getLoginURL();
loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
FSUtils.forwardRequest(request, response, loginURL);
return true;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is evaluated to be valid");
}
return processPostAuthnSSO(authnRequest);
}
} else {
if (FSUtils.debug.warningEnabled()) {
FSUtils.debug.warning("FSSSOAndFedHandler.processPreAuthnSSO: " + "IDP is passive and user is not authenticated");
}
noFedStatus = new Status(new StatusCode("samlp:Responder", new StatusCode("lib:NoPassive", null)), FSUtils.bundle.getString("AuthnRequestProcessingFailed"), null);
return false;
}
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: AuthnRequest is active");
}
if (authnRequest.getForceAuthn()) {
if (authenticationContextClassRef != null) {
authnResult = authnDecisionHandler.getURLForAuthnContext(authenticationContextClassRef, authType);
} else {
authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList);
}
if (authnResult == null || authnResult.getLoginURL() == null || authnResult.getLoginURL().length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO:" + "AuthnDecision engine failed to take a " + "authn decision");
}
return false;
} else {
if (ssoToken != null) {
try {
SessionManager.getProvider().invalidateSession(ssoToken, request, response);
} catch (SessionException ssoe) {
FSUtils.debug.error("FSSSOAndFedHandler.processPreAuthnSSO:" + "Unable to invalidate the sso session.");
}
ssoToken = null;
}
loginURL = authnResult.getLoginURL();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "AuthnDecision engine returned: " + loginURL);
}
}
loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
FSUtils.forwardRequest(request, response, loginURL);
response.flushBuffer();
return true;
} else {
if (authenticated) {
if (authenticationContextClassRef != null) {
authnResult = authnDecisionHandler.decideAuthnContext(authenticationContextClassRef, currentAuthnContextRef, authType);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is default");
}
authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList, authType);
}
if (authnResult == null) {
return false;
} else if (authnResult.getLoginURL() == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is evaluated to be valid");
}
return processPostAuthnSSO(authnRequest);
} else if (authnResult.getLoginURL().length() == 0) {
return false;
} else {
loginURL = authnResult.getLoginURL();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO" + ": AuthnDecision engine returned: " + loginURL);
}
}
loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
FSUtils.forwardRequest(request, response, loginURL);
return true;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: AuthnRequest is active");
}
//redirect for authentication authnContextRef
if (authenticationContextClassRef != null) {
authnResult = authnDecisionHandler.getURLForAuthnContext(authenticationContextClassRef, authType);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler." + "processPreAuthnSSO: User's " + "authentication " + "context is default");
}
authnResult = authnDecisionHandler.getURLForAuthnContext(defAuthnCxtList, authType);
}
if (authnResult == null || authnResult.getLoginURL() == null || authnResult.getLoginURL().length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler. processPreAuthnSSO: " + " AuthnDecision engine" + " failed to take a decision");
}
noFedStatus = new Status(new StatusCode("samlp:Responder", new StatusCode("lib:NoAuthnContext", null)), FSUtils.bundle.getString("AuthnRequestProcessingFailed"), null);
return false;
} else {
loginURL = authnResult.getLoginURL();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPreAuthnSSO: " + "AuthnDecision engine returned: " + loginURL);
}
}
loginURL = formatLoginURL(loginURL, authnResult.getAuthContextRef());
FSUtils.forwardRequest(request, response, loginURL);
return true;
}
}
}
} catch (Exception e) {
FSUtils.debug.error("FSSSOAndFedHandler.processPreAuthnSSO: " + "Exception occured");
return processPostAuthnSSO(authnRequest);
}
}
use of com.sun.identity.saml.protocol.Status in project OpenAM by OpenRock.
the class FSSingleLogoutHandler method doSoapProfile.
/**
* Initiates SOAP proifle logout.
* @param providerId the first provider with SOAP as logout profile
*/
private FSLogoutStatus doSoapProfile(String providerId) {
FSUtils.debug.message("Entered IDP's doSoapProfile");
try {
FSSessionManager sMgr = FSSessionManager.getInstance(metaAlias);
FSSession session = sMgr.getSession(ssoToken);
FSAccountFedInfo currentAccount = null;
if (session != null) {
currentAccount = session.getAccountFedInfo();
}
if (currentAccount == null && !session.getOneTime()) {
currentAccount = FSLogoutUtil.getCurrentWorkingAccount(userID, providerId, metaAlias);
}
if (currentAccount == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler. User's " + "account may have been terminated.");
}
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
}
FSLogoutNotification reqLogout = createSingleLogoutRequest(currentAccount, sessionIndex);
reqLogout.setMinorVersion(getMinorVersion(remoteDescriptor));
if (reqLogout != null) {
FSSOAPService instSOAP = FSSOAPService.getInstance();
if (instSOAP != null) {
FSUtils.debug.message("Signing suceeded. To call bindLogoutRequest");
reqLogout.setID(IFSConstants.LOGOUTID);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("logout request before sign: " + reqLogout.toXMLString(true, true));
}
SOAPMessage msgLogout = instSOAP.bind(reqLogout.toXMLString(true, true));
if (msgLogout != null) {
SOAPMessage retSOAPMessage = null;
try {
if (FSServiceUtils.isSigningOn()) {
int minorVersion = reqLogout.getMinorVersion();
switch(minorVersion) {
case IFSConstants.FF_11_PROTOCOL_MINOR_VERSION:
msgLogout = signLogoutRequest(msgLogout, IFSConstants.ID, reqLogout.getID());
break;
case IFSConstants.FF_12_PROTOCOL_MINOR_VERSION:
msgLogout = signLogoutRequest(msgLogout, IFSConstants.REQUEST_ID, reqLogout.getRequestID());
break;
default:
FSUtils.debug.message("invalid minor version.");
break;
}
}
retSOAPMessage = instSOAP.sendMessage(msgLogout, remoteDescriptor.getSoapEndpoint());
} catch (Exception e) {
FSUtils.debug.error("FSSOAPException in doSOAPProfile" + " Cannot send request", e);
return new FSLogoutStatus(IFSConstants.SAML_RESPONDER);
}
if (retSOAPMessage != null) {
Element elt = instSOAP.parseSOAPMessage(retSOAPMessage);
if (FSServiceUtils.isSigningOn()) {
if (!verifyResponseSignature(retSOAPMessage)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Response " + "signature verification failed");
}
FSServiceUtils.returnLocallyAfterOperation(response, LOGOUT_DONE_URL, false, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
return new FSLogoutStatus(IFSConstants.SAML_REQUESTER);
}
}
this.requestLogout = reqLogout;
respObj = new FSLogoutResponse(elt);
// Call SP Adapter preSingleLogout for SP/SOAP
if (hostedRole != null && hostedRole.equalsIgnoreCase(IFSConstants.SP)) {
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig);
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSLOHandler." + "preSingleLogoutProcess, SP/SOAP");
}
try {
spAdapter.preSingleLogoutProcess(hostedEntityId, request, response, userID, reqLogout, respObj, IFSConstants.LOGOUT_SP_SOAP_PROFILE);
} catch (Exception e) {
// ignore adapter error
FSUtils.debug.error("spAdapter." + "preSingleLogoutProcess, SP/SOAP:", e);
}
}
}
Status status = respObj.getStatus();
StatusCode statusCode = status.getStatusCode();
StatusCode secondLevelStatus = statusCode.getStatusCode();
String statusString = statusCode.getValue();
if (statusString.equalsIgnoreCase(IFSConstants.SAML_SUCCESS)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler: " + " doSoapProfile returning success");
}
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler: " + "SOAP Profile failure " + statusString);
}
return new FSLogoutStatus(statusString);
}
}
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Unable to bindLogoutRequest." + "Current Provider cannot be processed");
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Unable to create logout request" + " Current Provider cannot be processed");
}
}
} catch (Exception e) {
FSUtils.debug.error("In IOException of doSOAPProfile : ", e);
}
return new FSLogoutStatus(IFSConstants.SAML_RESPONDER);
}
use of com.sun.identity.saml.protocol.Status in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method createAuthnResponse.
protected FSAuthnResponse createAuthnResponse(Object ssoToken, String inResponseTo, NameIdentifier userHandle, NameIdentifier idpHandle) {
FSUtils.debug.message("FSSSOAndFedHandler.createAuthnResponse: Called");
FSAuthnResponse authnResponse = null;
try {
String requestID = authnRequest.getRequestID();
FSAssertionManager am = FSAssertionManager.getInstance(metaAlias);
FSAssertion assertion = null;
SessionProvider sessionProvider = SessionManager.getProvider();
assertion = am.createFSAssertion(sessionProvider.getSessionID(ssoToken), null, realm, spEntityId, userHandle, idpHandle, inResponseTo, authnRequest.getMinorVersion());
StatusCode statusCode = new StatusCode(IFSConstants.STATUS_CODE_SUCCESS);
Status status = new Status(statusCode);
List contents = new ArrayList();
contents.add(assertion);
authnResponse = new FSAuthnResponse(null, requestID, status, contents, relayState);
authnResponse.setMinorVersion(authnRequest.getMinorVersion());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.createAuthnResponse: " + "CHECK1: " + hostedEntityId);
}
authnResponse.setProviderId(hostedEntityId);
} catch (FSException se) {
FSUtils.debug.error("FSSSOAndFedHandler.createAuthnResponse: FSException: ", se);
return null;
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOAndFedHandler.createAuthnResponse: " + "SAMLException: ", se);
return null;
} catch (SessionException se) {
FSUtils.debug.error("FSSSOAndFedHandler.createAuthnResponse: " + "SessionException: ", se);
return null;
}
// sign AuthnResponse
return authnResponse;
}
use of com.sun.identity.saml.protocol.Status in project OpenAM by OpenRock.
the class FSSSOBrowserArtifactProfileHandler method createSAMLResponse.
private FSResponse createSAMLResponse(FSSAMLRequest samlRequest) throws FSException {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
FSResponse retResponse = null;
String respID = FSUtils.generateID();
String inResponseTo = samlRequest.getRequestID();
List contents = new ArrayList();
String message = null;
int length;
Status status;
String remoteAddr = ClientUtils.getClientIPAddress(request);
String respPrefix = FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
int reqType = samlRequest.getContentType();
if (reqType == Request.NOT_SUPPORTED) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Found element in the request which are not supported");
}
message = FSUtils.bundle.getString("unsupportedElement");
try {
status = new Status(new StatusCode("samlp:Responder"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Fatal error, cannot create status or response: ", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
FSAssertionManager am = null;
try {
am = FSAssertionManager.getInstance(metaAlias);
} catch (FSException se) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Cannot instantiate " + "FSAssertionManager");
}
message = se.getMessage();
try {
status = new Status(new StatusCode("samlp:Responder"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Fatal error, cannot create status or response: ", sse);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
List artifacts = null;
List assertions = new ArrayList();
if (reqType == Request.ASSERTION_ARTIFACT) {
artifacts = samlRequest.getAssertionArtifact();
length = artifacts.size();
// ensure that all the artifacts have the same sourceID
String sourceID = null;
String providerID = null;
AssertionArtifact art = null;
for (int j = 0; j < length; j++) {
art = (AssertionArtifact) artifacts.get(j);
if (sourceID != null) {
if (!sourceID.equals(art.getSourceID())) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Artifacts not from " + "the same source");
}
message = FSUtils.bundle.getString("mismatchSourceID");
try {
/**
* Need a second level status for the federation
* does not exist.
*/
status = new Status(new StatusCode("samlp:Requester", new StatusCode(IFSConstants.FEDERATION_NOT_EXISTS_STATUS, null)), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException ex) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response: ", ex);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
} else {
//sourceids are equal
continue;
}
} else {
// sourceID == null
sourceID = art.getSourceID();
}
}
// while loop to go through artifacts to check for sourceID
if (art != null) {
try {
providerID = am.getDestIdForArtifact(art);
} catch (FSException ex) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: FSException Occured while " + "retrieving sp's providerID for the artifact: ", ex);
providerID = null;
}
if (providerID == null) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "artifact received does not correspond to any SP");
message = FSUtils.bundle.getString("invalidSource");
try {
/**
* Need a second level status for the federation
* does not exist.
*/
/**
* First, let's check we haven't recorded a status
* beforehand (by another call) related to this
* artifact. If so, use it.
*/
Status sorig = am.getErrorStatus(art);
if (sorig != null) {
status = sorig;
} else {
status = new Status(new StatusCode("samlp:Requester", new StatusCode(IFSConstants.FEDERATION_NOT_EXISTS_STATUS, null)), message, null);
}
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
return null;
}
//return error response
} else {
try {
if (!metaManager.isTrustedProvider(realm, hostedEntityId, providerID)) {
FSUtils.debug.error("FSSSOAndFedHandler.processAuthnRequest: " + "RemoteProvider is not trusted");
message = FSUtils.bundle.getString("AuthnRequestProcessingFailed");
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
}
spDescriptor = metaManager.getSPDescriptor(realm, providerID);
spEntityId = providerID;
remoteAddr = providerID;
} catch (Exception ae) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "FSAllianceManagementException " + "Occured while getting", ae);
message = ae.getMessage();
try {
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
return null;
}
}
}
//Verify signature
if (FSServiceUtils.isSigningOn()) {
if (!verifySAMLRequestSignature(samlRequestElement, soapMsg)) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "SAMLRequest signature verification failed");
message = FSUtils.bundle.getString("signatureVerificationFailed");
try {
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: " + sse.getMessage());
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtProfileHandler.createSAMLResp:" + " SAMLRequest signature verified");
}
}
}
//end signature verification
} else {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: No artifact found in samlRequest");
message = FSUtils.bundle.getString("missingArtifact");
try {
status = new Status(new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
return null;
}
}
for (int i = 0; i < length; i++) {
AssertionArtifact artifact = (AssertionArtifact) artifacts.get(i);
Assertion assertion = null;
try {
assertion = am.getAssertion(artifact, spEntityId);
} catch (FSException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler.createSAML" + "Response:could not find matching assertion:", e);
}
message = e.getMessage();
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException sse) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
if (assertion != null) {
assertions.add(i, assertion);
}
}
}
int assertionSize = assertions.size();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: found " + assertionSize + "assertions.");
}
// inside the assertion has the calling host's address in it.
for (int i = 0; i < assertionSize; i++) {
Assertion assn = (Assertion) assertions.get(i);
Conditions conds = assn.getConditions();
Set trcs = conds.getAudienceRestrictionCondition();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: checking to see if assertions" + " are for host:" + remoteAddr);
}
if (trcs != null && !trcs.isEmpty()) {
Iterator trcsIterator = trcs.iterator();
while (trcsIterator.hasNext()) {
if (!((AudienceRestrictionCondition) trcsIterator.next()).containsAudience(remoteAddr)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: removing TRC not" + "meant for this host");
}
assertions.remove(assn);
}
}
}
}
assertionSize = assertions.size();
if (assertionSize == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Matching Assertions(s) not " + "created for this host");
}
message = FSUtils.bundle.getString("mismatchDest");
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
if (reqType == Request.ASSERTION_ARTIFACT) {
if (assertions.size() == artifacts.size()) {
message = null;
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Matching Assertion found");
}
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
return null;
} catch (Exception e) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", e);
return null;
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
} else {
message = FSUtils.bundle.getString("unequalMatch");
try {
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
} else {
// build response for all the other type of request
try {
message = null;
status = new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
}
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix, retResponse.toString() };
LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
}
return retResponse;
}
Aggregations