Search in sources :

Example 76 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class SPSingleLogoutServiceSOAP method doPost.

public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    try {
        // handle DOS attack
        SAMLUtils.checkHTTPContentLength(req);
        // Get SP entity ID
        String spMetaAlias = SAML2MetaUtils.getMetaAliasByUri(req.getRequestURI());
        if (SPCache.isFedlet) {
            if ((spMetaAlias == null) || (spMetaAlias.length() == 0)) {
                // pick the first available one
                List spMetaAliases = SAML2Utils.getSAML2MetaManager().getAllHostedServiceProviderMetaAliases("/");
                if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
                    // get first one
                    spMetaAlias = (String) spMetaAliases.get(0);
                }
            }
        }
        String spEntityID = SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(spMetaAlias);
        String realm = SAML2MetaUtils.getRealmByMetaAlias(spMetaAlias);
        if (!SAML2Utils.isSPProfileBindingSupported(realm, spEntityID, SAML2Constants.SLO_SERVICE, SAML2Constants.SOAP)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("SPSLOSOAP.doPost : uri =" + req.getRequestURI() + ", spMetaAlias=" + spMetaAlias + ", spEntityID=" + spEntityID);
        }
        SOAPMessage msg = SOAPCommunicator.getInstance().getSOAPMessage(req);
        SOAPMessage reply = null;
        reply = onMessage(msg, req, resp, realm, spEntityID);
        if (reply != null) {
            // are generated as part of the save.
            if (reply.saveRequired()) {
                reply.saveChanges();
            }
            resp.setStatus(HttpServletResponse.SC_OK);
            SAML2Utils.putHeaders(reply.getMimeHeaders(), resp);
            // Write out the message on the response stream
            OutputStream os = resp.getOutputStream();
            reply.writeTo(os);
            os.flush();
        } else {
            // Form SOAP fault
            resp.setStatus(HttpServletResponse.SC_NO_CONTENT);
        }
    } catch (SAML2Exception ex) {
        SAML2Utils.debug.error("SPSingleLogoutServiceSOAP", ex);
        SAMLUtils.sendError(req, resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "singleLogoutFailed", ex.getMessage());
        return;
    } catch (SOAPException soap) {
        SAML2Utils.debug.error("SPSingleLogoutServiceSOAP", soap);
        SAMLUtils.sendError(req, resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "singleLogoutFailed", soap.getMessage());
        return;
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) OutputStream(java.io.OutputStream) SOAPException(javax.xml.soap.SOAPException) List(java.util.List) SOAPMessage(javax.xml.soap.SOAPMessage)

Example 77 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class WSFederationUtils method processMultiProtocolLogout.

/**
     * Processes Single Logout cross multiple federation protocols
     * @param request HttpServletRequest object.
     * @param response HttpServletResponse object
     */
public static void processMultiProtocolLogout(HttpServletRequest request, HttpServletResponse response, Object userSession) {
    debug.message("WSFederationUtils.processMPSingleLogout");
    try {
        String wreply = (String) request.getAttribute(WSFederationConstants.LOGOUT_WREPLY);
        String realm = (String) request.getAttribute(WSFederationConstants.REALM_PARAM);
        String idpEntityId = (String) request.getAttribute(WSFederationConstants.ENTITYID_PARAM);
        Set sessSet = new HashSet();
        sessSet.add(userSession);
        String sessUser = SessionManager.getProvider().getPrincipalName(userSession);
        // assume WS-Federation logout always succeed as there is not
        // logout status from the specification
        SingleLogoutManager manager = SingleLogoutManager.getInstance();
        // TODO : find out spEntityID/logout request if any
        int status = manager.doIDPSingleLogout(sessSet, sessUser, request, response, false, true, SingleLogoutManager.WS_FED, realm, idpEntityId, null, wreply, null, null, SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS);
        if (status != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
            response.sendRedirect(wreply);
        }
    } catch (SessionException ex) {
        // ignore;
        debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
    } catch (IOException ex) {
        // ignore;
        debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
    } catch (Exception ex) {
        // ignore;
        debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
    }
}
Also used : SingleLogoutManager(com.sun.identity.multiprotocol.SingleLogoutManager) HashSet(java.util.HashSet) Set(java.util.Set) SessionException(com.sun.identity.plugin.session.SessionException) IOException(java.io.IOException) SessionException(com.sun.identity.plugin.session.SessionException) DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) IOException(java.io.IOException) WSFederationMetaException(com.sun.identity.wsfederation.meta.WSFederationMetaException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) HashSet(java.util.HashSet)

Example 78 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class QueryHandlerServlet method processXACMLResponse.

/**
     * Returns the received Response to the Requester.
     * Validates the message signature if signed and invokes the
     * Request Handler to pass the request for futher processing.
     *
     * @param realm realm of the entity.
     * @param pdpEntityID entity identifier of Policy Decision Point (PDP).
     * @param samlRequest the <code>RequestAbstract</code> object.
     * @param request the <code>HttpServletRequest</code> object.
     * @param soapMsg the <code>SOAPMessage</code> object.
     * @exception <code>SAML2Exception</code> if there is an error processing
     *            the request and returning a  response.
     */
Response processXACMLResponse(String realm, String pdpEntityID, RequestAbstract samlRequest, HttpServletRequest request, SOAPMessage soapMsg) throws SAML2Exception {
    String classMethod = "QueryHandlerServlet:processXACMLResponse";
    Response samlResponse = null;
    String path = request.getPathInfo();
    String key = path.substring(path.indexOf(METAALIAS_KEY) + 10);
    String pepEntityID = samlRequest.getIssuer().getValue();
    if (debug.messageEnabled()) {
        debug.message(classMethod + "SOAPMessage KEY . :" + key);
        debug.message(classMethod + "pepEntityID is :" + pepEntityID);
    }
    //Retreive metadata
    boolean pdpWantAuthzQuerySigned = SAML2Utils.getWantXACMLAuthzDecisionQuerySigned(realm, pdpEntityID, SAML2Constants.PDP_ROLE);
    if (debug.messageEnabled()) {
        debug.message(classMethod + "PDP wantAuthzQuerySigned:" + pdpWantAuthzQuerySigned);
    }
    if (pdpWantAuthzQuerySigned) {
        if (samlRequest.isSigned()) {
            XACMLAuthzDecisionQueryDescriptorElement pep = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
            Set<X509Certificate> verificationCerts = KeyUtil.getPEPVerificationCerts(pep, pepEntityID);
            if (verificationCerts.isEmpty() || !samlRequest.isSignatureValid(verificationCerts)) {
                // error
                debug.error(classMethod + "Invalid signature in message");
                throw new SAML2Exception("invalidQuerySignature");
            } else {
                debug.message(classMethod + "Valid signature found");
            }
        } else {
            debug.error("Request not signed");
            throw new SAML2Exception("nullSig");
        }
    }
    //getRequestHandlerClass
    RequestHandler handler = (RequestHandler) SOAPBindingService.handlers.get(key);
    if (handler != null) {
        if (debug.messageEnabled()) {
            debug.message(classMethod + "Found handler");
        }
        samlResponse = handler.handleQuery(pdpEntityID, pepEntityID, samlRequest, soapMsg);
        // set response attributes
        samlResponse.setID(SAML2Utils.generateID());
        samlResponse.setVersion(SAML2Constants.VERSION_2_0);
        samlResponse.setIssueInstant(new Date());
        Issuer issuer = AssertionFactory.getInstance().createIssuer();
        issuer.setValue(pdpEntityID);
        samlResponse.setIssuer(issuer);
        // end set Response Attributes
        //set Assertion attributes
        List assertionList = samlResponse.getAssertion();
        Assertion assertion = (Assertion) assertionList.get(0);
        assertion.setID(SAML2Utils.generateID());
        assertion.setVersion(SAML2Constants.VERSION_2_0);
        assertion.setIssueInstant(new Date());
        assertion.setIssuer(issuer);
        // end assertion set attributes
        // check if assertion needs to be encrypted,signed.
        String wantAssertionEncrypted = SAML2Utils.getAttributeValueFromXACMLConfig(realm, SAML2Constants.PEP_ROLE, pepEntityID, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
        XACMLAuthzDecisionQueryDescriptorElement pepDescriptor = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
        EncInfo encInfo = null;
        boolean wantAssertionSigned = pepDescriptor.isWantAssertionsSigned();
        if (debug.messageEnabled()) {
            debug.message(classMethod + " wantAssertionSigned :" + wantAssertionSigned);
        }
        if (wantAssertionSigned) {
            signAssertion(realm, pdpEntityID, assertion);
        }
        if (wantAssertionEncrypted != null && wantAssertionEncrypted.equalsIgnoreCase(SAML2Constants.TRUE)) {
            encInfo = KeyUtil.getPEPEncInfo(pepDescriptor, pepEntityID);
            // encrypt the Assertion
            EncryptedAssertion encryptedAssertion = assertion.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), pepEntityID);
            if (encryptedAssertion == null) {
                debug.error(classMethod + "Assertion encryption failed.");
                throw new SAML2Exception("FailedToEncryptAssertion");
            }
            assertionList = new ArrayList();
            assertionList.add(encryptedAssertion);
            samlResponse.setEncryptedAssertion(assertionList);
            //reset Assertion list
            samlResponse.setAssertion(new ArrayList());
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Assertion encrypted.");
            }
        } else {
            List assertionsList = new ArrayList();
            assertionsList.add(assertion);
            samlResponse.setAssertion(assertionsList);
        }
        signResponse(samlResponse, realm, pepEntityID, pdpEntityID);
    } else {
        // error -  missing request handler.
        debug.error(classMethod + "RequestHandler not found");
        throw new SAML2Exception("missingRequestHandler");
    }
    return samlResponse;
}
Also used : Issuer(com.sun.identity.saml2.assertion.Issuer) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncInfo(com.sun.identity.saml2.key.EncInfo) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) ArrayList(java.util.ArrayList) List(java.util.List) XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement)

Example 79 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class SAMLv2ModelImpl method savehttpRedMni.

/**
     * Saves the Http-Redirect ManageNameID Service.
     *
     * @param mnihttpLocation is the location url.
     * @param mnihttpRespLocation is the response location url.
     * @param manageNameIdList the live list to be updated.
     * @param objFact the Object Factory class.
     * @throws JAXBException if save fails.
     */
private void savehttpRedMni(String mnihttpLocation, String mnihttpRespLocation, List manageNameIdList, com.sun.identity.saml2.jaxb.metadata.ObjectFactory objFact) throws JAXBException {
    if (mnihttpLocation != null && mnihttpLocation.length() > 0) {
        ManageNameIDServiceElement slsElemRed = objFact.createManageNameIDServiceElement();
        slsElemRed.setBinding(httpRedirectBinding);
        slsElemRed.setLocation(mnihttpLocation);
        slsElemRed.setResponseLocation(mnihttpRespLocation);
        manageNameIdList.add(slsElemRed);
    }
}
Also used : ManageNameIDServiceElement(com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)

Example 80 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class SAMLv2ModelImpl method savehttpRedLogout.

/**
     * Saves the Http-Redirect Single Logout Service.
     *
     * @param lohttpLocation is the location url.
     * @param lohttpRespLocation is the response location url.
     * @param logList the live list to be updated.
     * @param objFact the Object Factory class.
     * @throws JAXBException if save fails.
     */
private void savehttpRedLogout(String lohttpLocation, String lohttpRespLocation, List logList, com.sun.identity.saml2.jaxb.metadata.ObjectFactory objFact) throws JAXBException {
    if (lohttpLocation != null && lohttpLocation.length() > 0) {
        SingleLogoutServiceElement slsElemRed = objFact.createSingleLogoutServiceElement();
        slsElemRed.setBinding(httpRedirectBinding);
        slsElemRed.setLocation(lohttpLocation);
        slsElemRed.setResponseLocation(lohttpRespLocation);
        logList.add(slsElemRed);
    }
}
Also used : SingleLogoutServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)119 List (java.util.List)53 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)45 ArrayList (java.util.ArrayList)41 IOException (java.io.IOException)40 SessionException (com.sun.identity.plugin.session.SessionException)35 Response (com.sun.identity.saml2.protocol.Response)31 SOAPException (javax.xml.soap.SOAPException)31 Issuer (com.sun.identity.saml2.assertion.Issuer)28 HttpServletResponse (javax.servlet.http.HttpServletResponse)28 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)25 Map (java.util.Map)24 Assertion (com.sun.identity.saml2.assertion.Assertion)23 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)23 SOAPMessage (javax.xml.soap.SOAPMessage)22 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)20 Date (java.util.Date)20 HashMap (java.util.HashMap)20 Element (org.w3c.dom.Element)20 X509Certificate (java.security.cert.X509Certificate)16