use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class DoManageNameID method processPOSTRequest.
public static void processPOSTRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, IOException, SOAPException, SessionException, ServletException {
String classMethod = "DoManageNameID.processPOSTRequest:";
String samlRequest = request.getParameter(SAML2Constants.SAML_REQUEST);
if (samlRequest == null) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "MissingSAMLRequest", SAML2Utils.bundle.getString("MissingSAMLRequest"));
throw new SAML2Exception(SAML2Utils.bundle.getString("MissingSAMLRequest"));
}
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
}
if (!isSupported) {
debug.error(classMethod + "MNI binding: POST is not supported for " + hostEntityID);
String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
ManageNameIDRequest mniRequest = null;
ByteArrayInputStream bis = null;
try {
byte[] raw = Base64.decode(samlRequest);
if (raw != null) {
bis = new ByteArrayInputStream(raw);
Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
if (doc != null) {
mniRequest = ProtocolFactory.getInstance().createManageNameIDRequest(doc.getDocumentElement());
}
}
} catch (SAML2Exception se) {
debug.error("DoManageNameID.processPOSTRequest:", se);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullDecodedStrFromSamlResponse", SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") + " " + se.getMessage());
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
} catch (Exception e) {
debug.error("DoManageNameID.processPOSTRequest:", e);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "nullDecodedStrFromSamlResponse", SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") + " " + e.getMessage());
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
} finally {
if (bis != null) {
try {
bis.close();
} catch (Exception ie) {
if (debug.messageEnabled()) {
debug.message("DoManageNameID.processPOSTRequest:", ie);
}
}
}
}
if (mniRequest != null) {
String remoteEntityID = mniRequest.getIssuer().getValue();
if (remoteEntityID == null) {
logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
}
if (debug.messageEnabled()) {
debug.message("DoManageNameID.processPOSTRequest: " + "Meta Alias is : " + metaAlias);
debug.message("DoManageNameID.processPOSTRequest: " + "Host EntityID is : " + hostEntityID);
debug.message("DoManageNameID.processPOSTRequest: " + "Remote EntityID is : " + remoteEntityID);
}
String dest = mniRequest.getDestination();
boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID, hostEntityID, hostEntityRole, dest);
if (!valid) {
logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
ManageNameIDServiceElement mniService = getMNIServiceElement(realm, remoteEntityID, hostEntityRole, SAML2Constants.HTTP_POST);
String mniURL = mniService.getResponseLocation();
if (mniURL == null) {
mniURL = mniService.getLocation();
}
///common for post, redirect, soap
ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, null, SAML2Constants.HTTP_POST, request, response);
signMNIResponse(mniResponse, realm, hostEntityID, hostEntityRole, remoteEntityID);
//send MNI Response by POST
String mniRespString = mniResponse.toXMLString(true, true);
String encMsg = SAML2Utils.encodeForPOST(mniRespString);
String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
try {
SAML2Utils.postToTarget(request, response, "SAMLResponse", encMsg, "RelayState", relayState, mniURL);
} catch (Exception e) {
debug.message("DoManageNameID.processPOSTRequest:", e);
throw new SAML2Exception("Error posting to target");
}
}
return;
}
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class ManageNameIDResponseImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
AssertionFactory af = AssertionFactory.getInstance();
ProtocolFactory pf = ProtocolFactory.getInstance();
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDResponseImpl.parseElement: Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDResponseImpl.parseElement:" + "not ManageNameIDResponse.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
responseId = element.getAttribute("ID");
validateID(responseId);
version = element.getAttribute("Version");
validateVersion(version);
String issueInstantStr = element.getAttribute("IssueInstant");
validateIssueInstant(issueInstantStr);
destination = element.getAttribute("Destination");
consent = element.getAttribute("Consent");
inResponseTo = element.getAttribute("InResponseTo");
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals("Issuer")) {
issuer = af.createIssuer((Element) childNode);
} else if (cName.equals("Signature")) {
signatureString = XMLUtils.getElementString((Element) childNode);
isSigned = true;
} else if (cName.equals("Extensions")) {
extensions = pf.createExtensions((Element) childNode);
} else if (cName.equals("Status")) {
status = pf.createStatus((Element) childNode);
}
}
}
}
}
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class DoManageNameID method processHttpRequest.
/**
* Parses the request parameters and process the ManageNameID
* Request from the remote entity.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @throws SAML2Exception if error occurred while processing the request.
* @throws SessionException if error processing the request from remote entity.
* @throws ServletException if request length is invalid.
*/
public static void processHttpRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, SessionException, ServletException {
String method = "processHttpRequest: ";
String metaAlias = null;
String remoteEntityID = null;
String queryString = null;
// handle DOS attack
SAMLUtils.checkHTTPContentLength(request);
String requestURL = request.getRequestURI();
metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
}
if (!isSupported) {
debug.error(method + "MNI binding: Redirect is not supported for " + hostEntity);
String[] data = { hostEntity, SAML2Constants.HTTP_REDIRECT };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
// Retrieve ManageNameIDRequest
ManageNameIDRequest mniRequest = getMNIRequest(request);
remoteEntityID = mniRequest.getIssuer().getValue();
if (remoteEntityID == null) {
logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, remoteEntityID);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
}
boolean needToVerify = SAML2Utils.getWantMNIRequestSigned(realm, hostEntity, hostRole);
if (needToVerify) {
queryString = request.getQueryString();
boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
if (!valid) {
logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
}
String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
if (debug.messageEnabled()) {
debug.message(method + "Meta Alias is : " + metaAlias);
debug.message(method + "Remote EntityID is : " + remoteEntityID);
debug.message(method + "Host Entity role is : " + hostRole);
debug.message(method + "Relay state is : " + relayState);
}
try {
ManageNameIDServiceElement mniService = getMNIServiceElement(realm, remoteEntityID, hostRole, SAML2Constants.HTTP_REDIRECT);
String mniURL = mniService.getResponseLocation();
if (mniURL == null) {
mniURL = mniService.getLocation();
}
ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, mniURL, SAML2Constants.HTTP_REDIRECT, request, response);
sendMNIResponse(response, mniResponse, mniURL, relayState, realm, hostEntity, hostRole, remoteEntityID);
} catch (SAML2MetaException e) {
logError("metaDataError", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
}
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class DoManageNameID method processSOAPRequest.
/**
* Parses the request parameters and process the ManageNameID
* Request from the remote entity.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @throws SAML2Exception if error occurred while processing the request.
* @throws IOException if error generation DOM from input stream.
* @throws SOAPException if error generating soap message.
* @throws ServletException if request length is invalid.
*/
public static void processSOAPRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, IOException, SOAPException, ServletException {
String method = "processSOAPRequest: ";
String metaAlias = null;
String remoteEntityID = null;
String requestURL = request.getRequestURI();
String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
// handle DOS attack
SAMLUtils.checkHTTPContentLength(request);
metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.SOAP);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntity, SAML2Constants.MNI_SERVICE, SAML2Constants.SOAP);
}
if (!isSupported) {
debug.error(method + "MNI binding: SOAP is not supported for " + hostEntity);
String[] data = { hostEntity, SAML2Constants.SOAP };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
// Retrieve a SOAPMessage
SOAPMessage message = SOAPCommunicator.getInstance().getSOAPMessage(request);
ManageNameIDRequest mniRequest = getMNIRequest(message);
remoteEntityID = mniRequest.getIssuer().getValue();
if (remoteEntityID == null) {
logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
}
if (debug.messageEnabled()) {
debug.message(method + "Meta Alias is : " + metaAlias);
debug.message(method + "Host EntityID is : " + hostEntity);
debug.message(method + "Remote EntityID is : " + remoteEntityID);
}
String dest = mniRequest.getDestination();
boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID, hostEntity, hostEntityRole, dest);
if (!valid) {
logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, null, SAML2Constants.SOAP, request, response);
signMNIResponse(mniResponse, realm, hostEntity, hostEntityRole, remoteEntityID);
SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(mniResponse.toXMLString(true, true), false);
if (reply != null) {
/* Need to call saveChanges because we're
* going to use the MimeHeaders to set HTTP
* response information. These MimeHeaders
* are generated as part of the save. */
if (reply.saveRequired()) {
reply.saveChanges();
}
response.setStatus(HttpServletResponse.SC_OK);
SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
// Write out the message on the response stream
OutputStream os = response.getOutputStream();
reply.writeTo(os);
os.flush();
} else {
logError("errorObtainResponse", LogUtil.CANNOT_INSTANTIATE_MNI_RESPONSE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorObtainResponse"));
}
}
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class DoManageNameID method signMNIResponse.
private static void signMNIResponse(ManageNameIDResponse mniResponse, String realm, String hostEntity, String hostEntityRole, String remoteEntity, boolean includeCert) throws SAML2Exception {
String method = "signMNIResponse : ";
boolean needResponseSign = false;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
needResponseSign = SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity, SAML2Constants.SP_ROLE);
} else {
needResponseSign = SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (!needResponseSign) {
if (debug.messageEnabled()) {
debug.message(method + "MNIResponse doesn't need to be signed.");
}
return;
}
String alias = SAML2Utils.getSigningCertAlias(realm, hostEntity, hostEntityRole);
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "hostEntity is : " + hostEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
debug.message(method + "Cert Alias is : " + alias);
debug.message(method + "MNI Response before sign : " + mniResponse.toXMLString(true, true));
}
PrivateKey signingKey = keyProvider.getPrivateKey(alias);
X509Certificate signingCert = null;
if (includeCert) {
signingCert = keyProvider.getX509Certificate(alias);
}
if (signingKey != null) {
mniResponse.sign(signingKey, signingCert);
} else {
logError("missingSigningCertAlias", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
if (debug.messageEnabled()) {
debug.message(method + "MNI Response after sign : " + mniResponse.toXMLString(true, true));
}
}
Aggregations