Example 1 with Saml2SingleLogout
use of com.tremolosecurity.proxy.auth.saml2.Saml2SingleLogout in project OpenUnison by TremoloSecurity.
the class SAML2Auth method doPost.
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession)
// req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest)
// req).getSession();
// //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) req).getSession();
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
AuthInfo userData = ((AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
if (userData.isAuthComplete() && userData.getAuthLevel() > 0) {
// Session is already set, just redirect to relay state
String relayState = this.getFinalURL(req, resp);
if (relayState == null) {
throw new ServletException("No RelayState or default RelayState");
}
resp.sendRedirect(relayState);
return;
}
if (as == null) {
// this is a special case - idp initiated means there's no context
ArrayList<AuthStep> auths = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthSteps();
int id = 0;
for (AuthMechType amt : act.getAuthMech()) {
AuthStep asx = new AuthStep();
asx.setId(id);
asx.setExecuted(false);
asx.setRequired(amt.getRequired().equals("required"));
asx.setSuccess(false);
auths.add(asx);
id++;
}
as = auths.get(0);
}
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String defaultOC = authParams.get("defaultOC").getValues().get(0);
String spEncKey = null;
if (authParams.get("spEncKey") != null) {
spEncKey = authParams.get("spEncKey").getValues().get(0);
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
AuthMechType amt = act.getAuthMech().get(as.getId());
List<String> sigCertNames = authParams.get("idpSigKeyName").getValues();
List<X509Certificate> sigCerts = new ArrayList<X509Certificate>();
boolean isMultiIdp = authParams.get("isMultiIdP") != null && authParams.get("isMultiIdP").getValues().get(0).equalsIgnoreCase("true");
String ldapAttrib = authParams.get("ldapAttribute").getValues().get(0);
String dnLabel = authParams.get("dnOU").getValues().get(0);
String samlResp = req.getParameter("SAMLResponse");
String xml = null;
xml = new String(Base64.decodeBase64(samlResp), "UTF-8");
boolean assertionSigned = true;
if (authParams.get("assertionsSigned") != null) {
assertionSigned = Boolean.parseBoolean(authParams.get("assertionsSigned").getValues().get(0));
}
boolean responseSigned = false;
if (authParams.get("responsesSigned") != null) {
responseSigned = Boolean.parseBoolean(authParams.get("responsesSigned").getValues().get(0));
}
boolean assertionEncrypted = false;
if (authParams.get("assertionEncrypted") != null) {
assertionEncrypted = Boolean.parseBoolean(authParams.get("assertionEncrypted").getValues().get(0));
}
if (logger.isDebugEnabled()) {
logger.debug("=========saml2resp============");
logger.debug(xml);
logger.debug("=========saml2resp============");
}
xml = xml.replaceAll("<!--.*-->", "");
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
try {
DocumentBuilder builder = factory.newDocumentBuilder();
Element root = builder.parse(new InputSource(new StringReader(xml))).getDocumentElement();
Response samlResponse = (Response) XMLObjectSupport.getUnmarshaller(root).unmarshall(root);
if (isMultiIdp) {
try {
String dn = authParams.get("idpDir").getValues().get(0);
LDAPSearchResults res = cfgMgr.getMyVD().search(dn, 2, equal("issuer", samlResponse.getIssuer().getValue()).toString(), new ArrayList<String>());
if (!res.hasMore()) {
throw new ServletException("No IdP found");
}
LDAPEntry entry = res.next();
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
sigCerts.add((java.security.cert.X509Certificate) cf.generateCertificate(new ByteArrayInputStream(Base64.decodeBase64(entry.getAttribute("idpSig").getStringValue()))));
} catch (LDAPException e) {
throw new ServletException("Could not load IdP data", e);
} catch (CertificateException e) {
throw new ServletException("Could not load IdP data", e);
}
} else {
for (String sigCertName : sigCertNames) {
sigCerts.add(cfgMgr.getCertificate(sigCertName));
}
}
if (responseSigned) {
if (samlResponse.getSignature() != null) {
boolean foundSigned = false;
for (X509Certificate sigCert : sigCerts) {
if (sigCert != null) {
BasicCredential sigCred = new BasicCredential(sigCert.getPublicKey());
sigCred.setUsageType(UsageType.SIGNING);
try {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
profileValidator.validate(samlResponse.getSignature());
SignatureValidator.validate(samlResponse.getSignature(), sigCred);
foundSigned = true;
} catch (org.opensaml.xmlsec.signature.support.SignatureException se) {
}
}
}
if (!foundSigned) {
throw new ServletException("could not validate response");
}
} else {
throw new Exception("Response not signed");
}
}
Assertion assertion = null;
if (samlResponse.getEncryptedAssertions().size() > 0) {
try {
EncryptedAssertion encAssertion = samlResponse.getEncryptedAssertions().get(0);
PrivateKey privKey = this.cfgMgr.getPrivateKey(spEncKey);
PublicKey pubKey = this.cfgMgr.getCertificate(spEncKey).getPublicKey();
Credential credential = new BasicCredential(pubKey, privKey);
StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(credential);
Decrypter decrypter = new Decrypter(null, resolver, new InlineEncryptedKeyResolver());
decrypter.setRootInNewDocument(true);
assertion = decrypter.decrypt(encAssertion);
} catch (Exception e) {
throw new ServletException("Error decrypting assertion", e);
}
} else {
if (assertionEncrypted) {
throw new Exception("Assertion not encrypted");
}
if (samlResponse.getAssertions().size() == 0) {
throw new Exception("No assertions found");
}
assertion = (Assertion) samlResponse.getAssertions().get(0);
}
if (assertionSigned) {
if (assertion.getSignature() != null) {
boolean foundSigned = false;
for (X509Certificate sigCert : sigCerts) {
if (sigCert != null) {
BasicCredential sigCred = new BasicCredential(sigCert.getPublicKey());
sigCred.setUsageType(UsageType.SIGNING);
try {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
profileValidator.validate(assertion.getSignature());
SignatureValidator.validate(assertion.getSignature(), sigCred);
foundSigned = true;
} catch (org.opensaml.xmlsec.signature.support.SignatureException se) {
}
}
}
if (!foundSigned) {
throw new ServletException("Assertion can not be validated with a trusted certificate");
}
} else {
throw new Exception("No assertion signature");
}
}
// If it made it here, the assertion is valid, lets check the authncontextclassref
Attribute authnContextClassRef = authParams.get("authCtxRef");
if (authnContextClassRef != null && authnContextClassRef.getValues().size() > 0 && !authnContextClassRef.getValues().get(0).isEmpty() && !authnContextClassRef.getValues().get(0).equalsIgnoreCase("none") && (assertion.getAuthnStatements() == null || assertion.getAuthnStatements().size() == 0 || assertion.getAuthnStatements().get(0).getAuthnContext() == null || assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef() == null || assertion.getAuthnStatements().get(0).getAuthnContext() == null || assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef() == null || assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getURI() == null || !assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getURI().equalsIgnoreCase(authnContextClassRef.getValues().get(0)))) {
logger.warn("Can not validate the authentication context classref");
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
return;
}
try {
if (authParams.get("dontLinkToLDAP") == null || authParams.get("dontLinkToLDAP").getValues().get(0).equalsIgnoreCase("false")) {
StringBuffer filter = new StringBuffer();
filter.append('(').append(ldapAttrib).append('=').append(assertion.getSubject().getNameID().getValue()).append(')');
LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, filter.toString(), new ArrayList<String>());
if (res.hasMore()) {
createUserFromDir(session, act, ldapAttrib, assertion, res);
} else {
createUnlinkedUser(session, act, ldapAttrib, dnLabel, defaultOC, assertion);
}
} else {
createUnlinkedUser(session, act, ldapAttrib, dnLabel, defaultOC, assertion);
}
} catch (LDAPException e) {
if (e.getResultCode() == 32) {
createUnlinkedUser(session, act, ldapAttrib, dnLabel, defaultOC, assertion);
} else {
throw e;
}
}
// logout management
Attribute logoutURLAttr = authParams.get("idpRedirLogoutURL");
if (logoutURLAttr != null && logoutURLAttr.getValues().size() > 0 && !logoutURLAttr.getValues().get(0).isEmpty() && authParams.get("spSigKey") != null && authParams.get("spSigKey").getValues().size() > 0) {
String logoutURL = logoutURLAttr.getValues().get(0);
String sessionIndex = assertion.getAuthnStatements().get(0).getSessionIndex();
String nameID = assertion.getSubject().getNameID().getValue();
String nameIDFormat = assertion.getSubject().getNameID().getFormat();
Saml2SingleLogout handler = new Saml2SingleLogout(logoutURL, sessionIndex, nameID, nameIDFormat, samlResponse.getDestination(), authParams.get("spSigKey").getValues().get(0), authParams.get("sigAlg").getValues().get(0), authParams.get("entityID").getValues().get(0));
LogoutUtil.addLogoutHandler(req, handler);
}
as.setSuccess(true);
} catch (Exception e) {
logger.error("Error Parsing Assertion", e);
throw new ServletException("error parsing assertion", e);
}
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
Also used :
InputSource(org.xml.sax.InputSource)
DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory)
PrivateKey(java.security.PrivateKey)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
XSString(org.opensaml.core.xml.schema.XSString)
AuthStep(com.tremolosecurity.proxy.auth.util.AuthStep)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
LDAPEntry(com.novell.ldap.LDAPEntry)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
PublicKey(java.security.PublicKey)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
X509Certificate(java.security.cert.X509Certificate)
LDAPException(com.novell.ldap.LDAPException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)
Attribute(com.tremolosecurity.saml.Attribute)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Element(org.w3c.dom.Element)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
StringReader(java.io.StringReader)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
BasicCredential(org.opensaml.security.credential.BasicCredential)
BasicCredential(org.opensaml.security.credential.BasicCredential)
Credential(org.opensaml.security.credential.Credential)
TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession)
HttpSession(javax.servlet.http.HttpSession)
Saml2SingleLogout(com.tremolosecurity.proxy.auth.saml2.Saml2SingleLogout)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LDAPException(com.novell.ldap.LDAPException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
SAXException(org.xml.sax.SAXException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Response(org.opensaml.saml.saml2.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Aggregations
LDAPAttribute (com.novell.ldap.LDAPAttribute)1
LDAPEntry (com.novell.ldap.LDAPEntry)1
LDAPException (com.novell.ldap.LDAPException)1
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)1
UrlHolder (com.tremolosecurity.config.util.UrlHolder)1
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)1
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)1
TremoloHttpSession (com.tremolosecurity.proxy.TremoloHttpSession)1
Saml2SingleLogout (com.tremolosecurity.proxy.auth.saml2.Saml2SingleLogout)1
AuthStep (com.tremolosecurity.proxy.auth.util.AuthStep)1
MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)1
Attribute (com.tremolosecurity.saml.Attribute)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
IOException (java.io.IOException)1
StringReader (java.io.StringReader)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
MalformedURLException (java.net.MalformedURLException)1
InvalidKeyException (java.security.InvalidKeyException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
PrivateKey (java.security.PrivateKey)1
