Search in sources :

Example 1 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class DoManageNameID method processPOSTRequest.

public static void processPOSTRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, IOException, SOAPException, SessionException, ServletException {
    String classMethod = "DoManageNameID.processPOSTRequest:";
    String samlRequest = request.getParameter(SAML2Constants.SAML_REQUEST);
    if (samlRequest == null) {
        SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "MissingSAMLRequest", SAML2Utils.bundle.getString("MissingSAMLRequest"));
        throw new SAML2Exception(SAML2Utils.bundle.getString("MissingSAMLRequest"));
    }
    String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
    String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
    }
    if (!isSupported) {
        debug.error(classMethod + "MNI binding: POST is not supported for " + hostEntityID);
        String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    ManageNameIDRequest mniRequest = null;
    ByteArrayInputStream bis = null;
    try {
        byte[] raw = Base64.decode(samlRequest);
        if (raw != null) {
            bis = new ByteArrayInputStream(raw);
            Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
            if (doc != null) {
                mniRequest = ProtocolFactory.getInstance().createManageNameIDRequest(doc.getDocumentElement());
            }
        }
    } catch (SAML2Exception se) {
        debug.error("DoManageNameID.processPOSTRequest:", se);
        SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullDecodedStrFromSamlResponse", SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") + " " + se.getMessage());
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    } catch (Exception e) {
        debug.error("DoManageNameID.processPOSTRequest:", e);
        SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "nullDecodedStrFromSamlResponse", SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") + " " + e.getMessage());
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    } finally {
        if (bis != null) {
            try {
                bis.close();
            } catch (Exception ie) {
                if (debug.messageEnabled()) {
                    debug.message("DoManageNameID.processPOSTRequest:", ie);
                }
            }
        }
    }
    if (mniRequest != null) {
        String remoteEntityID = mniRequest.getIssuer().getValue();
        if (remoteEntityID == null) {
            logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, metaAlias);
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
        }
        if (debug.messageEnabled()) {
            debug.message("DoManageNameID.processPOSTRequest: " + "Meta Alias is : " + metaAlias);
            debug.message("DoManageNameID.processPOSTRequest: " + "Host EntityID is : " + hostEntityID);
            debug.message("DoManageNameID.processPOSTRequest: " + "Remote EntityID is : " + remoteEntityID);
        }
        String dest = mniRequest.getDestination();
        boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID, hostEntityID, hostEntityRole, dest);
        if (!valid) {
            logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
        }
        ManageNameIDServiceElement mniService = getMNIServiceElement(realm, remoteEntityID, hostEntityRole, SAML2Constants.HTTP_POST);
        String mniURL = mniService.getResponseLocation();
        if (mniURL == null) {
            mniURL = mniService.getLocation();
        }
        ///common for post, redirect, soap
        ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, null, SAML2Constants.HTTP_POST, request, response);
        signMNIResponse(mniResponse, realm, hostEntityID, hostEntityRole, remoteEntityID);
        //send MNI Response by POST
        String mniRespString = mniResponse.toXMLString(true, true);
        String encMsg = SAML2Utils.encodeForPOST(mniRespString);
        String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
        try {
            SAML2Utils.postToTarget(request, response, "SAMLResponse", encMsg, "RelayState", relayState, mniURL);
        } catch (Exception e) {
            debug.message("DoManageNameID.processPOSTRequest:", e);
            throw new SAML2Exception("Error posting to target");
        }
    }
    return;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ManageNameIDServiceElement(com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement) ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest) ByteArrayInputStream(java.io.ByteArrayInputStream) Document(org.w3c.dom.Document) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse) ServletException(javax.servlet.ServletException) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Example 2 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class ManageNameIDResponseImpl method parseElement.

private void parseElement(Element element) throws SAML2Exception {
    AssertionFactory af = AssertionFactory.getInstance();
    ProtocolFactory pf = ProtocolFactory.getInstance();
    // make sure that the input xml block is not null
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ManageNameIDResponseImpl.parseElement: Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    // Make sure this is an EncryptedAssertion.
    String tag = null;
    tag = element.getLocalName();
    if ((tag == null) || (!tag.equals(elementName))) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ManageNameIDResponseImpl.parseElement:" + "not ManageNameIDResponse.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
    }
    responseId = element.getAttribute("ID");
    validateID(responseId);
    version = element.getAttribute("Version");
    validateVersion(version);
    String issueInstantStr = element.getAttribute("IssueInstant");
    validateIssueInstant(issueInstantStr);
    destination = element.getAttribute("Destination");
    consent = element.getAttribute("Consent");
    inResponseTo = element.getAttribute("InResponseTo");
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            String cName = childNode.getLocalName();
            if (cName != null) {
                if (cName.equals("Issuer")) {
                    issuer = af.createIssuer((Element) childNode);
                } else if (cName.equals("Signature")) {
                    signatureString = XMLUtils.getElementString((Element) childNode);
                    isSigned = true;
                } else if (cName.equals("Extensions")) {
                    extensions = pf.createExtensions((Element) childNode);
                } else if (cName.equals("Status")) {
                    status = pf.createStatus((Element) childNode);
                }
            }
        }
    }
}
Also used : ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Example 3 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class DoManageNameID method processHttpRequest.

/**
     * Parses the request parameters and process the ManageNameID
     * Request from the remote entity.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param paramsMap Map of all other parameters.
     * @throws SAML2Exception if error occurred while processing the request.
     * @throws SessionException if error processing the request from remote entity.
     * @throws ServletException if request length is invalid.
     */
public static void processHttpRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, SessionException, ServletException {
    String method = "processHttpRequest: ";
    String metaAlias = null;
    String remoteEntityID = null;
    String queryString = null;
    // handle DOS attack
    SAMLUtils.checkHTTPContentLength(request);
    String requestURL = request.getRequestURI();
    metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
    String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
    }
    if (!isSupported) {
        debug.error(method + "MNI binding: Redirect is not supported for " + hostEntity);
        String[] data = { hostEntity, SAML2Constants.HTTP_REDIRECT };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    // Retrieve ManageNameIDRequest 
    ManageNameIDRequest mniRequest = getMNIRequest(request);
    remoteEntityID = mniRequest.getIssuer().getValue();
    if (remoteEntityID == null) {
        logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, remoteEntityID);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
    }
    boolean needToVerify = SAML2Utils.getWantMNIRequestSigned(realm, hostEntity, hostRole);
    if (needToVerify) {
        queryString = request.getQueryString();
        boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
        if (!valid) {
            logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
        }
    }
    String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
    if (debug.messageEnabled()) {
        debug.message(method + "Meta Alias is : " + metaAlias);
        debug.message(method + "Remote EntityID is : " + remoteEntityID);
        debug.message(method + "Host Entity role is : " + hostRole);
        debug.message(method + "Relay state is : " + relayState);
    }
    try {
        ManageNameIDServiceElement mniService = getMNIServiceElement(realm, remoteEntityID, hostRole, SAML2Constants.HTTP_REDIRECT);
        String mniURL = mniService.getResponseLocation();
        if (mniURL == null) {
            mniURL = mniService.getLocation();
        }
        ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, mniURL, SAML2Constants.HTTP_REDIRECT, request, response);
        sendMNIResponse(response, mniResponse, mniURL, relayState, realm, hostEntity, hostRole, remoteEntityID);
    } catch (SAML2MetaException e) {
        logError("metaDataError", LogUtil.METADATA_ERROR, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ManageNameIDServiceElement(com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement) ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 4 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class DoManageNameID method processSOAPRequest.

/**
     * Parses the request parameters and process the ManageNameID
     * Request from the remote entity.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param paramsMap Map of all other parameters.
     * @throws SAML2Exception if error occurred while processing the request.
     * @throws IOException if error generation DOM from input stream.
     * @throws SOAPException if error generating soap message.
     * @throws ServletException if request length is invalid.
     */
public static void processSOAPRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, IOException, SOAPException, ServletException {
    String method = "processSOAPRequest: ";
    String metaAlias = null;
    String remoteEntityID = null;
    String requestURL = request.getRequestURI();
    String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
    // handle DOS attack
    SAMLUtils.checkHTTPContentLength(request);
    metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.SOAP);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.SOAP);
    }
    if (!isSupported) {
        debug.error(method + "MNI binding: SOAP is not supported for " + hostEntity);
        String[] data = { hostEntity, SAML2Constants.SOAP };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    // Retrieve a SOAPMessage
    SOAPMessage message = SOAPCommunicator.getInstance().getSOAPMessage(request);
    ManageNameIDRequest mniRequest = getMNIRequest(message);
    remoteEntityID = mniRequest.getIssuer().getValue();
    if (remoteEntityID == null) {
        logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, metaAlias);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "Meta Alias is : " + metaAlias);
        debug.message(method + "Host EntityID is : " + hostEntity);
        debug.message(method + "Remote EntityID is : " + remoteEntityID);
    }
    String dest = mniRequest.getDestination();
    boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID, hostEntity, hostEntityRole, dest);
    if (!valid) {
        logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
    }
    ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, null, SAML2Constants.SOAP, request, response);
    signMNIResponse(mniResponse, realm, hostEntity, hostEntityRole, remoteEntityID);
    SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(mniResponse.toXMLString(true, true), false);
    if (reply != null) {
        /*  Need to call saveChanges because we're
             * going to use the MimeHeaders to set HTTP
             * response information. These MimeHeaders
             * are generated as part of the save. */
        if (reply.saveRequired()) {
            reply.saveChanges();
        }
        response.setStatus(HttpServletResponse.SC_OK);
        SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
        // Write out the message on the response stream
        OutputStream os = response.getOutputStream();
        reply.writeTo(os);
        os.flush();
    } else {
        logError("errorObtainResponse", LogUtil.CANNOT_INSTANTIATE_MNI_RESPONSE, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("errorObtainResponse"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest) OutputStream(java.io.OutputStream) SOAPMessage(javax.xml.soap.SOAPMessage) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)

Example 5 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class DoManageNameID method signMNIResponse.

private static void signMNIResponse(ManageNameIDResponse mniResponse, String realm, String hostEntity, String hostEntityRole, String remoteEntity, boolean includeCert) throws SAML2Exception {
    String method = "signMNIResponse : ";
    boolean needResponseSign = false;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        needResponseSign = SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        needResponseSign = SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (!needResponseSign) {
        if (debug.messageEnabled()) {
            debug.message(method + "MNIResponse doesn't need to be signed.");
        }
        return;
    }
    String alias = SAML2Utils.getSigningCertAlias(realm, hostEntity, hostEntityRole);
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "hostEntity is : " + hostEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
        debug.message(method + "Cert Alias is : " + alias);
        debug.message(method + "MNI Response before sign : " + mniResponse.toXMLString(true, true));
    }
    PrivateKey signingKey = keyProvider.getPrivateKey(alias);
    X509Certificate signingCert = null;
    if (includeCert) {
        signingCert = keyProvider.getX509Certificate(alias);
    }
    if (signingKey != null) {
        mniResponse.sign(signingKey, signingCert);
    } else {
        logError("missingSigningCertAlias", LogUtil.METADATA_ERROR, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "MNI Response after sign : " + mniResponse.toXMLString(true, true));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) PrivateKey(java.security.PrivateKey) X509Certificate(java.security.cert.X509Certificate)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)13 ManageNameIDResponse (com.sun.identity.saml2.protocol.ManageNameIDResponse)8 SessionException (com.sun.identity.plugin.session.SessionException)7 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)5 SOAPException (javax.xml.soap.SOAPException)5 ManageNameIDRequest (com.sun.identity.saml2.protocol.ManageNameIDRequest)4 IOException (java.io.IOException)4 ServletException (javax.servlet.ServletException)4 Issuer (com.sun.identity.saml2.assertion.Issuer)3 ManageNameIDServiceElement (com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)3 Element (org.w3c.dom.Element)3 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)2 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)2 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2 ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)2 ByteArrayInputStream (java.io.ByteArrayInputStream)2 X509Certificate (java.security.cert.X509Certificate)2 SOAPMessage (javax.xml.soap.SOAPMessage)2 Document (org.w3c.dom.Document)2 Node (org.w3c.dom.Node)2