use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class SAML2Utils method createIssuer.
/**
* Returns url for redirection.
*
* @param entityID entityID for Issuer.
* @return Issuer for the specified entityID.
* @throws SAML2Exception if error in creating Issuer element.
*/
public static Issuer createIssuer(String entityID) throws SAML2Exception {
String method = "createIssuer: ";
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(entityID);
if (debug.messageEnabled()) {
debug.message(method + "Issuer : " + issuer.toXMLString());
}
return issuer;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AssertionImpl method processElement.
private void processElement(Element element) throws SAML2Exception {
if (element == null) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): invalid root element");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_element"));
}
String elemName = element.getLocalName();
if (elemName == null) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): local name missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_local_name"));
}
if (!elemName.equals(ASSERTION_ELEMENT)) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): invalid local name " + elemName);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_local_name"));
}
// starts processing attributes
String attrValue = element.getAttribute(ASSERTION_VERSION_ATTR);
if ((attrValue == null) || (attrValue.length() == 0)) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): version missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_assertion_version"));
}
version = attrValue;
attrValue = element.getAttribute(ASSERTION_ID_ATTR);
if ((attrValue == null) || (attrValue.length() == 0)) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): assertion id missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_assertion_id"));
}
id = attrValue;
attrValue = element.getAttribute(ASSERTION_ISSUEINSTANT_ATTR);
if ((attrValue == null) || (attrValue.length() == 0)) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): issue instant missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_issue_instant"));
}
try {
issueInstant = DateUtils.stringToDate(attrValue);
} catch (ParseException pe) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): invalid issue instant");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_date_format"));
}
// starts processing subelements
NodeList nodes = element.getChildNodes();
int numOfNodes = nodes.getLength();
if (numOfNodes < 1) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): assertion has no subelements");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
}
AssertionFactory factory = AssertionFactory.getInstance();
int nextElem = 0;
Node child = (Node) nodes.item(nextElem);
while (child.getNodeType() != Node.ELEMENT_NODE) {
if (++nextElem >= numOfNodes) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement():" + " assertion has no subelements");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
}
child = (Node) nodes.item(nextElem);
}
// The first subelement should be <Issuer>
String childName = child.getLocalName();
if ((childName == null) || (!childName.equals(ASSERTION_ISSUER))) {
SAML2SDKUtils.debug.error("AssertionImpl.processElement():" + " the first element is not <Issuer>");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelement_issuer"));
}
issuer = factory.getInstance().createIssuer((Element) child);
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
while (child.getNodeType() != Node.ELEMENT_NODE) {
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
}
// The next subelement may be <ds:Signature>
childName = child.getLocalName();
if ((childName != null) && childName.equals(ASSERTION_SIGNATURE)) {
signature = XMLUtils.print((Element) child);
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
while (child.getNodeType() != Node.ELEMENT_NODE) {
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
}
childName = child.getLocalName();
} else {
signature = null;
}
// The next subelement may be <Subject>
if ((childName != null) && childName.equals(ASSERTION_SUBJECT)) {
subject = factory.createSubject((Element) child);
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
while (child.getNodeType() != Node.ELEMENT_NODE) {
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
}
childName = child.getLocalName();
} else {
subject = null;
}
// The next subelement may be <Conditions>
if ((childName != null) && childName.equals(ASSERTION_CONDITIONS)) {
conditions = factory.createConditions((Element) child);
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
while (child.getNodeType() != Node.ELEMENT_NODE) {
if (++nextElem >= numOfNodes) {
return;
}
child = (Node) nodes.item(nextElem);
}
childName = child.getLocalName();
} else {
conditions = null;
}
// The next subelement may be <Advice>
if ((childName != null) && childName.equals(ASSERTION_ADVICE)) {
advice = factory.createAdvice((Element) child);
nextElem++;
} else {
advice = null;
}
// The next subelements are all statements
while (nextElem < numOfNodes) {
child = (Node) nodes.item(nextElem);
if (child.getNodeType() == Node.ELEMENT_NODE) {
childName = child.getLocalName();
if (childName != null) {
if (childName.equals(ASSERTION_AUTHNSTATEMENT)) {
authnStatements.add(factory.createAuthnStatement((Element) child));
} else if (childName.equals(ASSERTION_AUTHZDECISIONSTATEMENT)) {
authzDecisionStatements.add(factory.createAuthzDecisionStatement((Element) child));
} else if (childName.equals(ASSERTION_ATTRIBUTESTATEMENT)) {
attributeStatements.add(factory.createAttributeStatement((Element) child));
} else if ((childName != null) && childName.equals(ASSERTION_SIGNATURE)) {
signature = XMLUtils.print((Element) child);
} else {
String type = ((Element) child).getAttribute(XSI_TYPE_ATTR);
if (childName.equals(ASSERTION_STATEMENT) && (type != null && type.length() > 0)) {
statements.add(XMLUtils.print((Element) child));
} else {
SAML2SDKUtils.debug.error("AssertionImpl.processElement(): " + "unexpected subelement " + childName);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
}
}
}
}
nextElem++;
}
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class WSFederationUtils method isSignatureValid.
/**
* Determine the validity of the signature on the <code>Assertion</code>
* @param assertion SAML 1.1 Assertion
* @param realm Realm for the issuer
* @param issuer Assertion issuer - used to retrieve certificate for
* signature validation.
* @return true if the signature on the object is valid; false otherwise.
*/
public static boolean isSignatureValid(Assertion assertion, String realm, String issuer) {
boolean valid = false;
String signedXMLString = assertion.toString(true, true);
String id = assertion.getAssertionID();
try {
FederationElement idp = metaManager.getEntityDescriptor(realm, issuer);
X509Certificate cert = KeyUtil.getVerificationCert(idp, issuer, true);
XMLSignatureManager manager = XMLSignatureManager.getInstance();
valid = SigManager.getSigInstance().verify(signedXMLString, id, Collections.singleton(cert));
} catch (WSFederationMetaException ex) {
valid = false;
} catch (SAML2Exception ex) {
valid = false;
}
if (!valid) {
String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? signedXMLString : id, realm, issuer };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
}
return valid;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class QueryHandlerServlet method processXACMLResponse.
/**
* Returns the received Response to the Requester.
* Validates the message signature if signed and invokes the
* Request Handler to pass the request for futher processing.
*
* @param realm realm of the entity.
* @param pdpEntityID entity identifier of Policy Decision Point (PDP).
* @param samlRequest the <code>RequestAbstract</code> object.
* @param request the <code>HttpServletRequest</code> object.
* @param soapMsg the <code>SOAPMessage</code> object.
* @exception <code>SAML2Exception</code> if there is an error processing
* the request and returning a response.
*/
Response processXACMLResponse(String realm, String pdpEntityID, RequestAbstract samlRequest, HttpServletRequest request, SOAPMessage soapMsg) throws SAML2Exception {
String classMethod = "QueryHandlerServlet:processXACMLResponse";
Response samlResponse = null;
String path = request.getPathInfo();
String key = path.substring(path.indexOf(METAALIAS_KEY) + 10);
String pepEntityID = samlRequest.getIssuer().getValue();
if (debug.messageEnabled()) {
debug.message(classMethod + "SOAPMessage KEY . :" + key);
debug.message(classMethod + "pepEntityID is :" + pepEntityID);
}
//Retreive metadata
boolean pdpWantAuthzQuerySigned = SAML2Utils.getWantXACMLAuthzDecisionQuerySigned(realm, pdpEntityID, SAML2Constants.PDP_ROLE);
if (debug.messageEnabled()) {
debug.message(classMethod + "PDP wantAuthzQuerySigned:" + pdpWantAuthzQuerySigned);
}
if (pdpWantAuthzQuerySigned) {
if (samlRequest.isSigned()) {
XACMLAuthzDecisionQueryDescriptorElement pep = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
Set<X509Certificate> verificationCerts = KeyUtil.getPEPVerificationCerts(pep, pepEntityID);
if (verificationCerts.isEmpty() || !samlRequest.isSignatureValid(verificationCerts)) {
// error
debug.error(classMethod + "Invalid signature in message");
throw new SAML2Exception("invalidQuerySignature");
} else {
debug.message(classMethod + "Valid signature found");
}
} else {
debug.error("Request not signed");
throw new SAML2Exception("nullSig");
}
}
//getRequestHandlerClass
RequestHandler handler = (RequestHandler) SOAPBindingService.handlers.get(key);
if (handler != null) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Found handler");
}
samlResponse = handler.handleQuery(pdpEntityID, pepEntityID, samlRequest, soapMsg);
// set response attributes
samlResponse.setID(SAML2Utils.generateID());
samlResponse.setVersion(SAML2Constants.VERSION_2_0);
samlResponse.setIssueInstant(new Date());
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(pdpEntityID);
samlResponse.setIssuer(issuer);
// end set Response Attributes
//set Assertion attributes
List assertionList = samlResponse.getAssertion();
Assertion assertion = (Assertion) assertionList.get(0);
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
assertion.setIssuer(issuer);
// end assertion set attributes
// check if assertion needs to be encrypted,signed.
String wantAssertionEncrypted = SAML2Utils.getAttributeValueFromXACMLConfig(realm, SAML2Constants.PEP_ROLE, pepEntityID, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
XACMLAuthzDecisionQueryDescriptorElement pepDescriptor = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
EncInfo encInfo = null;
boolean wantAssertionSigned = pepDescriptor.isWantAssertionsSigned();
if (debug.messageEnabled()) {
debug.message(classMethod + " wantAssertionSigned :" + wantAssertionSigned);
}
if (wantAssertionSigned) {
signAssertion(realm, pdpEntityID, assertion);
}
if (wantAssertionEncrypted != null && wantAssertionEncrypted.equalsIgnoreCase(SAML2Constants.TRUE)) {
encInfo = KeyUtil.getPEPEncInfo(pepDescriptor, pepEntityID);
// encrypt the Assertion
EncryptedAssertion encryptedAssertion = assertion.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), pepEntityID);
if (encryptedAssertion == null) {
debug.error(classMethod + "Assertion encryption failed.");
throw new SAML2Exception("FailedToEncryptAssertion");
}
assertionList = new ArrayList();
assertionList.add(encryptedAssertion);
samlResponse.setEncryptedAssertion(assertionList);
//reset Assertion list
samlResponse.setAssertion(new ArrayList());
if (debug.messageEnabled()) {
debug.message(classMethod + "Assertion encrypted.");
}
} else {
List assertionsList = new ArrayList();
assertionsList.add(assertion);
samlResponse.setAssertion(assertionsList);
}
signResponse(samlResponse, realm, pepEntityID, pdpEntityID);
} else {
// error - missing request handler.
debug.error(classMethod + "RequestHandler not found");
throw new SAML2Exception("missingRequestHandler");
}
return samlResponse;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class QueryClient method createIssuer.
/**
* Returns <code>Issuer</code> for the entity identifier.
*
* @param entityID entity identifier.
* @return the <code>Issuer</code> object.
* @exception <code>SAML2Exception</code> if there is an error creating
* the issuer.
*/
private static Issuer createIssuer(String entityID) throws SAML2Exception {
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(entityID);
return issuer;
}
Aggregations