Search in sources :

Example 1 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class XACMLAuthzDecisionQueryHandler method handleQuery.

/**
     * Processes an XACMLAuthzDecisionQuery and retruns a SAML2 Response.
     *
     * @param pdpEntityId EntityID of PDP
     * @param pepEntityId EntityID of PEP
     * @param samlpRequest SAML2 Request, an XAMLAuthzDecisionQuery
     * @param soapMessage SOAPMessage that carried the SAML2 Request
     * @return SAML2 Response with an XAMLAuthzDecisionStatement
     * @exception SAML2Exception if the query can not be handled
     */
public com.sun.identity.saml2.protocol.Response handleQuery(String pdpEntityId, String pepEntityId, RequestAbstract samlpRequest, SOAPMessage soapMessage) throws SAML2Exception {
    //TODO: logging, i18n
    //TODO: long term, allow different mapper impls for  different
    //combination of pdp, pep
    SubjectMapper subjectMapper = new FMSubjectMapper();
    subjectMapper.initialize(pdpEntityId, pepEntityId, null);
    ResourceMapper resourceMapper = new FMResourceMapper();
    resourceMapper.initialize(pdpEntityId, pepEntityId, null);
    ActionMapper actionMapper = new FMActionMapper();
    actionMapper.initialize(pdpEntityId, pepEntityId, null);
    EnvironmentMapper environmentMapper = new FMEnvironmentMapper();
    environmentMapper.initialize(pdpEntityId, pepEntityId, null);
    ResultMapper resultMapper = new FMResultMapper();
    resultMapper.initialize(pdpEntityId, pepEntityId, null);
    boolean evaluationFailed = false;
    String statusCodeValue = null;
    if (XACMLSDKUtils.debug.messageEnabled()) {
        XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":samlpRequest=\n" + samlpRequest.toXMLString(true, true) + ":soapMessage=\n" + soapMessage);
    }
    Request xacmlRequest = ((XACMLAuthzDecisionQuery) samlpRequest).getRequest();
    boolean returnContext = ((XACMLAuthzDecisionQuery) samlpRequest).getReturnContext();
    SSOToken ssoToken = null;
    String resourceName = null;
    String serviceName = null;
    String actionName = null;
    Map environment = null;
    boolean booleanDecision = false;
    try {
        //get native sso token
        ssoToken = (SSOToken) subjectMapper.mapToNativeSubject(xacmlRequest.getSubjects());
        if (ssoToken == null) {
            //TODO: log message and fill missing attribute details 
            statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
            evaluationFailed = true;
        } else {
            if (XACMLSDKUtils.debug.messageEnabled()) {
                XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery()," + "created ssoToken");
            }
        }
        if (ssoToken != null) {
            //get native service name, resource name 
            List resources = xacmlRequest.getResources();
            Resource resource = null;
            if (!resources.isEmpty()) {
                //We deal with only one resource for now
                resource = (Resource) resources.get(0);
            }
            if (resource != null) {
                String[] resourceService = resourceMapper.mapToNativeResource(resource);
                if (resourceService != null) {
                    if (resourceService.length > 0) {
                        resourceName = resourceService[0];
                    }
                    if (resourceService.length > 1) {
                        serviceName = resourceService[1];
                    }
                }
            }
            if (resourceName == null) {
                //TODO: log message and fill missing attribute details 
                statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
                evaluationFailed = true;
            }
            if (serviceName == null) {
                //TODO: log message and fill missing attribute details
                throw new SAML2Exception(XACMLSDKUtils.xacmlResourceBundle.getString("missing_attribute"));
            }
        }
        if (serviceName != null) {
            //get native action name
            if (serviceName != null) {
                actionName = actionMapper.mapToNativeAction(xacmlRequest.getAction(), serviceName);
            }
            if (actionName == null) {
                //TODO: log message and fill missing attribute details
                statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
                evaluationFailed = true;
            }
        }
    //get environment map
    /*
            environment = environmentMapper.mapToNativeEnvironment(
                    xacmlRequest.getEnvironment(), 
                    xacmlRequest.getSubjects());
            */
    } catch (XACMLException xe) {
        statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
        evaluationFailed = true;
        if (XACMLSDKUtils.debug.warningEnabled()) {
            XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", xe);
        }
    }
    //get native policy deicison using native policy evaluator
    if (!evaluationFailed) {
        try {
            PolicyEvaluator pe = new PolicyEvaluator(serviceName);
            booleanDecision = pe.isAllowed(ssoToken, resourceName, actionName, environment);
        } catch (SSOException ssoe) {
            if (XACMLSDKUtils.debug.warningEnabled()) {
                XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", ssoe);
            }
            evaluationFailed = true;
        } catch (PolicyException pe) {
            if (XACMLSDKUtils.debug.warningEnabled()) {
                XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", pe);
            }
            evaluationFailed = true;
        }
    }
    //decision: Indeterminate, Deny, Permit, NotApplicable
    //status code: missing_attribute, syntax_error, processing_error, ok
    Decision decision = ContextFactory.getInstance().createDecision();
    Status status = ContextFactory.getInstance().createStatus();
    StatusCode code = ContextFactory.getInstance().createStatusCode();
    StatusMessage message = ContextFactory.getInstance().createStatusMessage();
    StatusDetail detail = ContextFactory.getInstance().createStatusDetail();
    detail.getElement().insertBefore(detail.getElement().cloneNode(true), null);
    if (evaluationFailed) {
        decision.setValue(XACMLConstants.INDETERMINATE);
        if (statusCodeValue == null) {
            statusCodeValue = XACMLConstants.STATUS_CODE_PROCESSING_ERROR;
        }
        code.setValue(statusCodeValue);
        //TODO: i18n
        message.setValue("processing_error");
    } else if (booleanDecision) {
        decision.setValue(XACMLConstants.PERMIT);
        code.setValue(XACMLConstants.STATUS_CODE_OK);
        //TODO: i18n
        message.setValue("ok");
    } else {
        decision.setValue(XACMLConstants.DENY);
        code.setValue(XACMLConstants.STATUS_CODE_OK);
        //TODO: i18n
        message.setValue("ok");
    }
    Result result = ContextFactory.getInstance().createResult();
    String resourceId = resourceName;
    List resources = xacmlRequest.getResources();
    Resource resource = null;
    if (!resources.isEmpty()) {
        //We deal with only one resource for now
        resource = (Resource) resources.get(0);
        if (resource != null) {
            List attributes = resource.getAttributes();
            if (attributes != null) {
                for (int count = 0; count < attributes.size(); count++) {
                    Attribute attr = (Attribute) attributes.get(count);
                    if (attr != null) {
                        URI tmpURI = attr.getAttributeId();
                        if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
                            Element element = (Element) attr.getAttributeValues().get(0);
                            resourceId = XMLUtils.getElementValue(element);
                            break;
                        }
                    }
                }
            }
        }
    }
    result.setResourceId(resourceId);
    result.setDecision(decision);
    status.setStatusCode(code);
    status.setStatusMessage(message);
    status.setStatusDetail(detail);
    result.setStatus(status);
    Response response = ContextFactory.getInstance().createResponse();
    response.addResult(result);
    XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement();
    statement.setResponse(response);
    if (returnContext) {
        statement.setRequest(xacmlRequest);
    }
    com.sun.identity.saml2.protocol.Response samlpResponse = createSamlpResponse(statement, status.getStatusCode().getValue());
    if (XACMLSDKUtils.debug.messageEnabled()) {
        XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), returning" + ":samlResponse=\n" + samlpResponse.toXMLString(true, true));
    }
    return samlpResponse;
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Attribute(com.sun.identity.xacml.context.Attribute) Element(org.w3c.dom.Element) SSOException(com.iplanet.sso.SSOException) StatusCode(com.sun.identity.xacml.context.StatusCode) URI(java.net.URI) Result(com.sun.identity.xacml.context.Result) ResourceResult(com.sun.identity.policy.ResourceResult) ActionMapper(com.sun.identity.xacml.spi.ActionMapper) XACMLAuthzDecisionStatement(com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement) PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator) SubjectMapper(com.sun.identity.xacml.spi.SubjectMapper) PolicyException(com.sun.identity.policy.PolicyException) ResourceMapper(com.sun.identity.xacml.spi.ResourceMapper) ArrayList(java.util.ArrayList) List(java.util.List) Status(com.sun.identity.xacml.context.Status) Request(com.sun.identity.xacml.context.Request) Resource(com.sun.identity.xacml.context.Resource) EnvironmentMapper(com.sun.identity.xacml.spi.EnvironmentMapper) Decision(com.sun.identity.xacml.context.Decision) XACMLException(com.sun.identity.xacml.common.XACMLException) StatusMessage(com.sun.identity.xacml.context.StatusMessage) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Response(com.sun.identity.xacml.context.Response) ResultMapper(com.sun.identity.xacml.spi.ResultMapper) StatusDetail(com.sun.identity.xacml.context.StatusDetail) XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery) Map(java.util.Map)

Example 2 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class AssertionGen method getAuthStatementList.

/**
 *Generate auth statements and retun a list of auth statements
 *
 */
private List getAuthStatementList() {
    AuthnStatement authnStatement = AssertionFactory.getInstance().createAuthnStatement();
    AuthnContext authnContext = AssertionFactory.getInstance().createAuthnContext();
    List AuthStatementList = new ArrayList();
    try {
        authnContext.setAuthnContextClassRef(SAML2Constants.CLASSREF_PASSWORD_PROTECTED_TRANSPORT);
        authnStatement.setAuthnContext(authnContext);
        authnStatement.setAuthnInstant(new Date());
        authnStatement.setSessionIndex("session_index");
        AuthStatementList.add(authnStatement);
    } catch (SAML2Exception ex) {
        Logger.getLogger(AssertionGen.class.getName()).log(Level.SEVERE, null, ex);
    }
    return AuthStatementList;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ArrayList(java.util.ArrayList) List(java.util.List) ArrayList(java.util.ArrayList) Date(java.util.Date)

Example 3 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class AssertionGen method getCondition.

/**
 *Add condition to the SAML assertion
 *
 */
private Conditions getCondition(String SPEntityID) {
    Conditions conditions = AssertionFactory.getInstance().createConditions();
    AudienceRestriction ar = AssertionFactory.getInstance().createAudienceRestriction();
    List SPIDList = new ArrayList();
    List ARList = new ArrayList();
    try {
        conditions.setNotBefore(new Date());
        SPIDList.add(SPEntityID);
        ar.setAudience(SPIDList);
        ARList.add(ar);
        conditions.setAudienceRestrictions(ARList);
    } catch (SAML2Exception ex) {
        Logger.getLogger(AssertionGen.class.getName()).log(Level.SEVERE, null, ex);
    }
    return conditions;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ArrayList(java.util.ArrayList) List(java.util.List) ArrayList(java.util.ArrayList) Date(java.util.Date)

Example 4 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class DefaultFedletAdapter method onFedletSLOSuccessOrFailure.

private void onFedletSLOSuccessOrFailure(HttpServletRequest request, HttpServletResponse response, LogoutRequest logoutReq, LogoutResponse logoutRes, String hostedEntityID, String idpEntityID, String binding, boolean isSuccess) throws SAML2Exception {
    String method = "DefaultFedletAdapter:onFedletSLOSuccessOrFailure:";
    try {
        if (logoutUrl == null) {
            BaseConfigType spConfig = SAML2Utils.getSAML2MetaManager().getSPSSOConfig("/", hostedEntityID);
            List appLogoutURL = (List) SAML2MetaUtils.getAttributes(spConfig).get(SAML2Constants.APP_LOGOUT_URL);
            if ((appLogoutURL != null) && !appLogoutURL.isEmpty()) {
                logoutUrl = (String) appLogoutURL.get(0);
            }
        }
        if (logoutUrl == null) {
            String deployuri = request.getRequestURI();
            int slashLoc = deployuri.indexOf("/", 1);
            if (slashLoc != -1) {
                deployuri = deployuri.substring(0, slashLoc);
            }
            if (deployuri != null) {
                String url = request.getRequestURL().toString();
                int loc = url.indexOf(deployuri + "/");
                if (loc != -1) {
                    logoutUrl = url.substring(0, loc + deployuri.length()) + "/logout";
                }
            }
        }
        if (logoutUrl == null) {
            return;
        }
        URL url = new URL(logoutUrl);
        HttpURLConnection conn = HttpURLConnectionManager.getConnection(url);
        conn.setDoOutput(true);
        conn.setRequestMethod("POST");
        conn.setFollowRedirects(false);
        conn.setInstanceFollowRedirects(false);
        // replay cookies
        String strCookies = SAML2Utils.getCookiesString(request);
        if (strCookies != null) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(method + "Sending cookies : " + strCookies);
            }
            conn.setRequestProperty("Cookie", strCookies);
        }
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("IDP", URLEncDec.encode(idpEntityID));
        conn.setRequestProperty("SP", URLEncDec.encode(hostedEntityID));
        if (logoutReq != null) {
            NameID nameID = logoutReq.getNameID();
            if (nameID != null) {
                conn.setRequestProperty("NameIDValue", URLEncDec.encode(nameID.getValue()));
            }
            List siList = logoutReq.getSessionIndex();
            if ((siList != null) && (!siList.isEmpty())) {
                conn.setRequestProperty("SessionIndex", URLEncDec.encode((String) siList.get(0)));
            }
        }
        conn.setRequestProperty("Binding", binding);
        if (isSuccess) {
            conn.setRequestProperty("SLOStatus", "Success");
        } else {
            conn.setRequestProperty("SLOStatus", "Failure");
        }
        OutputStream outputStream = conn.getOutputStream();
        // Write the request to the HTTP server.
        outputStream.write("".getBytes());
        outputStream.flush();
        outputStream.close();
        // Check response code
        if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(method + "Response code OK");
            }
        } else {
            SAML2Utils.debug.error(method + "Response code NOT OK: " + conn.getResponseCode());
        }
    } catch (Exception e) {
    }
    return;
}
Also used : BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) HttpURLConnection(java.net.HttpURLConnection) NameID(com.sun.identity.saml2.assertion.NameID) OutputStream(java.io.OutputStream) List(java.util.List) URL(java.net.URL) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Example 5 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class DefaultIDPAccountMapper method getNameID.

@Override
public NameID getNameID(Object session, String hostEntityID, String remoteEntityID, String realm, String nameIDFormat) throws SAML2Exception {
    String userID;
    try {
        SessionProvider sessionProv = SessionManager.getProvider();
        userID = sessionProv.getPrincipalName(session);
    } catch (SessionException se) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    String nameIDValue = null;
    if (nameIDFormat.equals(SAML2Constants.NAMEID_TRANSIENT_FORMAT)) {
        String sessionIndex = IDPSSOUtil.getSessionIndex(session);
        if (sessionIndex != null) {
            IDPSession idpSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
            if (idpSession != null) {
                List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
                if (list != null) {
                    for (NameIDandSPpair pair : list) {
                        if (pair.getSPEntityID().equals(remoteEntityID)) {
                            nameIDValue = pair.getNameID().getValue();
                            break;
                        }
                    }
                }
            }
        }
        if (nameIDValue == null) {
            nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
            if (nameIDValue == null) {
                nameIDValue = SAML2Utils.createNameIdentifier();
            }
        }
    } else {
        nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
        if (nameIDValue == null) {
            if (nameIDFormat.equals(SAML2Constants.PERSISTENT)) {
                nameIDValue = SAML2Utils.createNameIdentifier();
            } else {
                throw new SAML2Exception(bundle.getString("unableToGenerateNameIDValue"));
            }
        }
    }
    NameID nameID = AssertionFactory.getInstance().createNameID();
    nameID.setValue(nameIDValue);
    nameID.setFormat(nameIDFormat);
    nameID.setNameQualifier(hostEntityID);
    nameID.setSPNameQualifier(remoteEntityID);
    nameID.setSPProvidedID(null);
    return nameID;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameIDandSPpair(com.sun.identity.saml2.profile.NameIDandSPpair) IDPSession(com.sun.identity.saml2.profile.IDPSession) NameID(com.sun.identity.saml2.assertion.NameID) SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)275 ArrayList (java.util.ArrayList)92 List (java.util.List)86 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)72 Element (org.w3c.dom.Element)64 SessionException (com.sun.identity.plugin.session.SessionException)56 IOException (java.io.IOException)51 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)44 Map (java.util.Map)44 HashMap (java.util.HashMap)43 Iterator (java.util.Iterator)43 Issuer (com.sun.identity.saml2.assertion.Issuer)42 Date (java.util.Date)40 SOAPException (javax.xml.soap.SOAPException)39 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)39 X509Certificate (java.security.cert.X509Certificate)36 NodeList (org.w3c.dom.NodeList)36 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)35 Node (org.w3c.dom.Node)34 Response (com.sun.identity.saml2.protocol.Response)30