[jboss-identity-commits] JBoss Identity SVN: r878 - in identity-federation/trunk: jboss-identity-web/src/main/java/org/jboss/identity/federation/web and 1 other directories.

Author: anil.saldhana(a)jboss.com Date: 2009-10-27 17:08:12 -0400 (Tue, 27 Oct 2009) New Revision: 878 Added: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/SAMLHandlerChainProcessor.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderBaseProcessor.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java Log: refactor into separate classes Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-10-27 20:59:22 UTC (rev 877) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-10-27 21:08:12 UTC (rev 878) @@ -24,7 +24,6 @@ import static org.jboss.identity.federation.core.util.StringUtil.isNotNull; import java.io.IOException; -import java.io.InputStream; import java.security.Principal; import java.util.Arrays; import java.util.List; @@ -41,31 +40,24 @@ import org.apache.catalina.deploy.LoginConfig; import org.apache.catalina.realm.GenericPrincipal; import org.apache.log4j.Logger; -import org.jboss.identity.federation.api.saml.v2.request.SAML2Request; -import org.jboss.identity.federation.api.saml.v2.response.SAML2Response; import org.jboss.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext; import org.jboss.identity.federation.bindings.util.ValveUtil; import org.jboss.identity.federation.core.config.TrustType; import org.jboss.identity.federation.core.exceptions.ConfigurationException; +import org.jboss.identity.federation.core.exceptions.ParsingException; import org.jboss.identity.federation.core.exceptions.ProcessingException; -import org.jboss.identity.federation.core.interfaces.ProtocolContext; import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder; import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException; import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder; -import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder; -import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest; -import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler; -import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; -import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; -import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE; import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil; -import org.jboss.identity.federation.saml.v2.SAML2Object; -import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; import org.jboss.identity.federation.web.constants.GeneralConstants; import org.jboss.identity.federation.web.core.HTTPContext; +import org.jboss.identity.federation.web.process.ServiceProviderBaseProcessor; +import org.jboss.identity.federation.web.process.ServiceProviderSAMLRequestProcessor; +import org.jboss.identity.federation.web.process.ServiceProviderSAMLResponseProcessor; import org.jboss.identity.federation.web.util.PostBindingUtil; import org.jboss.identity.federation.web.util.ServerDetector; import org.w3c.dom.Document; @@ -109,56 +101,42 @@ //If we have already authenticated the user and there is no request from IDP or logout from user if(principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse) ) ) - return true; + return true; - SAML2Request saml2Request = new SAML2Request(); - Session session = request.getSessionInternal(true); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); boolean willSendRequest = false; - + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + Set<SAML2Handler> handlers = chain.handlers(); + + //General User Request if(!isNotNull(samlRequest) && !isNotNull(samlResponse)) { //Neither saml request nor response from IDP //So this is a user request - - //Ask the handler chain to generate the saml request - Set<SAML2Handler> handlers = chain.handlers(); - - IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - holder.getIssuer(), null, - HANDLER_TYPE.SP); - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - saml2HandlerResponse.setDestination(identityURL); - - //Reset the state + SAML2HandlerResponse saml2HandlerResponse = null; try { - for(SAML2Handler handler: handlers) - { - handler.reset(); - if(saml2HandlerResponse.isInError()) - { - response.sendError(saml2HandlerResponse.getErrorCode()); - break; - } - - if(logOutRequest) - saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.LOGOUT); - else - saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH); - handler.generateSAMLRequest(saml2HandlerRequest, saml2HandlerResponse); - } + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL); + + saml2HandlerResponse = baseProcessor.process(httpContext, handlers); + saml2HandlerResponse.setDestination(identityURL); } catch(ProcessingException pe) { + log.error("Processing Exception:", pe); throw new RuntimeException(pe); + } + catch (ParsingException pe) + { + log.error("Parsing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ConfigurationException pe) + { + log.error("Config Exception:", pe); + throw new RuntimeException(pe); } willSendRequest = saml2HandlerResponse.getSendRequest(); @@ -186,7 +164,7 @@ } } - //See if we got a response from IDP + //Handle a SAML Response from IDP if(isNotNull(samlResponse) ) { boolean isValid = false; @@ -201,45 +179,16 @@ } if(!isValid) throw new IOException("Validity check failed"); - + + //deal with SAML response from IDP - InputStream decodedResponseStream = PostBindingUtil.base64DecodeAsStream(samlResponse); try { - SAML2Response saml2Response = new SAML2Response(); + ServiceProviderSAMLResponseProcessor responseProcessor = + new ServiceProviderSAMLResponseProcessor(true, serviceURL); + SAML2HandlerResponse saml2HandlerResponse = + responseProcessor.process(samlResponse, httpContext, handlers); - SAML2Object samlObject = saml2Response.getSAML2ObjectFromStream(decodedResponseStream); - SAMLDocumentHolder documentHolder = saml2Response.getSamlDocumentHolder(); - - Set<SAML2Handler> handlers = chain.handlers(); - IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - holder.getIssuer(), documentHolder, - HANDLER_TYPE.SP); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - //Deal with handler chains - for(SAML2Handler handler : handlers) - { - if(saml2HandlerResponse.isInError()) - { - response.sendError(saml2HandlerResponse.getErrorCode()); - break; - } - if(samlObject instanceof RequestAbstractType) - { - handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); - } - else - { - handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); - } - } - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); @@ -267,9 +216,8 @@ else dispatch.forward(request, response); return false; - } + } - //We got a response with the principal List<String> roles = saml2HandlerResponse.getRoles(); if(principal == null) @@ -299,9 +247,7 @@ register(request, response, principal, Constants.FORM_METHOD, username, password); return true; - } - - + } } catch (Exception e) { @@ -309,64 +255,19 @@ log.trace("Server Exception:", e); throw new IOException("Server Exception"); } - } - - + } + + //Handle SAML Requests from IDP if(isNotNull(samlRequest)) - { - //we got a logout request - - //deal with SAML response from IDP - InputStream is = PostBindingUtil.base64DecodeAsStream(samlRequest); - + { try - { - SAML2Object samlObject = saml2Request.getSAML2ObjectFromStream(is); - SAMLDocumentHolder documentHolder = saml2Request.getSamlDocumentHolder(); - - Set<SAML2Handler> handlers = chain.handlers(); - IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - holder.getIssuer(), documentHolder, - HANDLER_TYPE.SP); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - //Deal with handler chains - for(SAML2Handler handler : handlers) - { - if(saml2HandlerResponse.isInError()) - { - response.sendError(saml2HandlerResponse.getErrorCode()); - break; - } - if(samlObject instanceof RequestAbstractType) - { - handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); - } - else - { - handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); - } - } - - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); - - String destination = saml2HandlerResponse.getDestination(); - - willSendRequest = saml2HandlerResponse.getSendRequest(); + { + ServiceProviderSAMLRequestProcessor requestProcessor = + new ServiceProviderSAMLRequestProcessor(true, this.serviceURL); + boolean result = requestProcessor.process(samlRequest, httpContext, handlers); - - if(destination != null && - samlResponseDocument != null) - { - sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest); - return true; - } + if(result) + return result; } catch (Exception e) { @@ -374,7 +275,7 @@ log.trace("Server Exception:", e); throw new IOException("Server Exception"); } - }//end else logoutrequest + }//end if //fallback return super.authenticate(request, response, loginConfig); Modified: identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java =================================================================== --- identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-10-27 20:59:22 UTC (rev 877) +++ identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-10-27 21:08:12 UTC (rev 878) @@ -25,7 +25,6 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; -import java.io.InputStream; import java.security.GeneralSecurityException; import java.security.Principal; import java.util.Arrays; @@ -45,31 +44,23 @@ import org.apache.catalina.realm.GenericPrincipal; import org.apache.log4j.Logger; import org.jboss.identity.federation.api.saml.v2.request.SAML2Request; -import org.jboss.identity.federation.api.saml.v2.response.SAML2Response; import org.jboss.identity.federation.bindings.tomcat.sp.holder.ServiceProviderSAMLContext; import org.jboss.identity.federation.bindings.util.ValveUtil; import org.jboss.identity.federation.core.config.TrustType; import org.jboss.identity.federation.core.exceptions.ConfigurationException; import org.jboss.identity.federation.core.exceptions.ParsingException; import org.jboss.identity.federation.core.exceptions.ProcessingException; -import org.jboss.identity.federation.core.interfaces.ProtocolContext; -import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder; import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException; -import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder; -import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest; -import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler; -import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; -import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; -import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE; import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil; -import org.jboss.identity.federation.saml.v2.SAML2Object; import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType; -import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; import org.jboss.identity.federation.web.constants.GeneralConstants; import org.jboss.identity.federation.web.core.HTTPContext; +import org.jboss.identity.federation.web.process.ServiceProviderBaseProcessor; +import org.jboss.identity.federation.web.process.ServiceProviderSAMLRequestProcessor; +import org.jboss.identity.federation.web.process.ServiceProviderSAMLResponseProcessor; import org.jboss.identity.federation.web.util.HTTPRedirectUtil; import org.jboss.identity.federation.web.util.RedirectBindingUtil; import org.jboss.identity.federation.web.util.ServerDetector; @@ -115,54 +106,42 @@ //If we have already authenticated the user and there is no request from IDP or logout from user if(principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse) ) ) return true; - - SAML2Request saml2Request = new SAML2Request(); Session session = request.getSessionInternal(true); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - + HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext()); + + Set<SAML2Handler> handlers = chain.handlers(); + + //General User Request if(!isNotNull(samlRequest) && !isNotNull(samlResponse)) { //Neither saml request nor response from IDP //So this is a user request - - //Ask the handler chain to generate the saml request - Set<SAML2Handler> handlers = chain.handlers(); - - IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - holder.getIssuer(), null, - HANDLER_TYPE.SP); - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - saml2HandlerResponse.setDestination(identityURL); - - //Reset the state + SAML2HandlerResponse saml2HandlerResponse = null; try { - for(SAML2Handler handler: handlers) - { - handler.reset(); - if(saml2HandlerResponse.isInError()) - { - response.sendError(saml2HandlerResponse.getErrorCode()); - break; - } - - if(logOutRequest) - saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.LOGOUT); - else - saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH); - handler.generateSAMLRequest(saml2HandlerRequest, saml2HandlerResponse); - } + ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL); + + saml2HandlerResponse = baseProcessor.process(httpContext, handlers); + saml2HandlerResponse.setDestination(identityURL); } catch(ProcessingException pe) { + log.error("Processing Exception:", pe); throw new RuntimeException(pe); - } + } + catch (ParsingException pe) + { + log.error("Parsing Exception:", pe); + throw new RuntimeException(pe); + } + catch (ConfigurationException pe) + { + log.error("Config Exception:", pe); + throw new RuntimeException(pe); + } + Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); @@ -206,52 +185,19 @@ } if(!isValid) throw new IOException("Validity check failed"); - - //deal with SAML response from IDP - InputStream base64DecodedResponse = RedirectBindingUtil.base64DeflateDecode(samlResponse); - + try { - SAML2Response saml2Response = new SAML2Response(); + ServiceProviderSAMLResponseProcessor responseProcessor = + new ServiceProviderSAMLResponseProcessor(false, serviceURL); + SAML2HandlerResponse saml2HandlerResponse = + responseProcessor.process(samlResponse, httpContext, handlers); - SAML2Object samlObject = saml2Response.getSAML2ObjectFromStream(base64DecodedResponse); - SAMLDocumentHolder documentHolder = saml2Response.getSamlDocumentHolder(); - - Set<SAML2Handler> handlers = chain.handlers(); - IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - holder.getIssuer(), documentHolder, - HANDLER_TYPE.SP); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - //Deal with handler chains - for(SAML2Handler handler : handlers) - { - if(saml2HandlerResponse.isInError()) - { - response.sendError(saml2HandlerResponse.getErrorCode()); - break; - } - if(samlObject instanceof RequestAbstractType) - { - handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); - } - else - { - handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); - } - } - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); String destination = saml2HandlerResponse.getDestination(); - - + if(destination != null && samlResponseDocument != null) { @@ -265,8 +211,7 @@ } else { - //See if the session has been invalidated - + //See if the session has been invalidated boolean sessionValidity = session.isValid(); if(!sessionValidity) { @@ -277,9 +222,8 @@ else dispatch.forward(request, response); return false; - } + } - //We got a response with the principal List<String> roles = saml2HandlerResponse.getRoles(); if(principal == null) @@ -311,8 +255,6 @@ return true; } - - } catch (Exception e) { @@ -320,68 +262,20 @@ log.trace("Server Exception:", e); throw new IOException("Server Exception"); } - } + } - + //Handle SAML Requests from IDP if(isNotNull(samlRequest)) { //we got a logout request - - //deal with SAML response from IDP - InputStream is = RedirectBindingUtil.base64DeflateDecode(samlRequest); - try - { - SAML2Object samlObject = saml2Request.getSAML2ObjectFromStream(is); - SAMLDocumentHolder documentHolder = saml2Request.getSamlDocumentHolder(); + { + ServiceProviderSAMLRequestProcessor requestProcessor = + new ServiceProviderSAMLRequestProcessor(false, this.serviceURL); + boolean result = requestProcessor.process(samlRequest, httpContext, handlers); - Set<SAML2Handler> handlers = chain.handlers(); - IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - holder.getIssuer(), documentHolder, - HANDLER_TYPE.SP); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - //Deal with handler chains - for(SAML2Handler handler : handlers) - { - if(saml2HandlerResponse.isInError()) - { - response.sendError(saml2HandlerResponse.getErrorCode()); - break; - } - if(samlObject instanceof RequestAbstractType) - { - handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); - } - else - { - handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); - } - } - - Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); - - String destination = saml2HandlerResponse.getDestination(); - - - if(destination != null && - samlResponseDocument != null) - { - String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); - - String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); - String destinationURL = destination + - getDestination(base64Request, relayState, saml2HandlerResponse.getSendRequest()); - - HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response); - return true; - } + if(result) + return result; } catch (Exception e) { @@ -389,8 +283,9 @@ log.trace("Server Exception:", e); throw new IOException("Server Exception"); } - }//end else logoutrequest + }//end if + //fallback return super.authenticate(request, response, loginConfig); } Added: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/SAMLHandlerChainProcessor.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/SAMLHandlerChainProcessor.java (rev 0) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/SAMLHandlerChainProcessor.java 2009-10-27 21:08:12 UTC (rev 878) @@ -0,0 +1,73 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.identity.federation.web.process; + +import java.io.IOException; +import java.util.HashSet; +import java.util.Set; + +import org.jboss.identity.federation.core.exceptions.ProcessingException; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.jboss.identity.federation.saml.v2.SAML2Object; +import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType; +import org.jboss.identity.federation.web.core.HTTPContext; + +/** + * @author Anil.Saldhana(a)redhat.com + * @since Oct 27, 2009 + */ +public class SAMLHandlerChainProcessor +{ + private Set<SAML2Handler> handlers = new HashSet<SAML2Handler>(); + + public SAMLHandlerChainProcessor(Set<SAML2Handler> handlers) + { + this.handlers.addAll(handlers); + } + + public void callHandlerChain(SAML2Object samlObject, + SAML2HandlerRequest saml2HandlerRequest, + SAML2HandlerResponse saml2HandlerResponse, + HTTPContext httpContext) + throws ProcessingException, IOException + { + //Deal with handler chains + for(SAML2Handler handler : handlers) + { + if(saml2HandlerResponse.isInError()) + { + httpContext.getResponse().sendError(saml2HandlerResponse.getErrorCode()); + break; + } + if(samlObject instanceof RequestAbstractType) + { + handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); + } + else + { + handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); + } + } + } +} \ No newline at end of file Added: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderBaseProcessor.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderBaseProcessor.java (rev 0) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderBaseProcessor.java 2009-10-27 21:08:12 UTC (rev 878) @@ -0,0 +1,128 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.identity.federation.web.process; + +import static org.jboss.identity.federation.core.util.StringUtil.isNotNull; + +import java.io.IOException; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.log4j.Logger; +import org.jboss.identity.federation.core.exceptions.ConfigurationException; +import org.jboss.identity.federation.core.exceptions.ParsingException; +import org.jboss.identity.federation.core.exceptions.ProcessingException; +import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder; +import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder; +import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest; +import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE; +import org.jboss.identity.federation.web.constants.GeneralConstants; +import org.jboss.identity.federation.web.core.HTTPContext; + +/** + * @author Anil.Saldhana(a)redhat.com + * @since Oct 27, 2009 + */ +public class ServiceProviderBaseProcessor +{ + protected static Logger log = Logger.getLogger(ServiceProviderBaseProcessor.class); + + protected boolean postBinding; + protected String serviceURL; + + /** + * Construct + * @param postBinding Whether it is the Post Binding + * @param serviceURL Service URL of the SP + */ + public ServiceProviderBaseProcessor(boolean postBinding, String serviceURL) + { + this.postBinding = postBinding; + this.serviceURL = serviceURL; + } + + public SAML2HandlerResponse process(HTTPContext httpContext, + Set<SAML2Handler> handlers) + throws ProcessingException, IOException, ParsingException, ConfigurationException + { + //Neither saml request nor response from IDP + //So this is a user request + + //Ask the handler chain to generate the saml request + + //Create the request/response + SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(null,httpContext); + SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + + //Reset the state + try + { + for(SAML2Handler handler: handlers) + { + handler.reset(); + if(saml2HandlerResponse.isInError()) + { + httpContext.getResponse().sendError(saml2HandlerResponse.getErrorCode()); + break; + } + + if(isLogOutRequest(httpContext)) + saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.LOGOUT); + else + saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH); + handler.generateSAMLRequest(saml2HandlerRequest, saml2HandlerResponse); + } + } + catch(ProcessingException pe) + { + log.error("Processing Exception:", pe); + throw new RuntimeException(pe); + } + + return saml2HandlerResponse; + } + + protected SAML2HandlerRequest getSAML2HandlerRequest(SAMLDocumentHolder documentHolder, + HTTPContext httpContext) + { + IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL); + + return + new DefaultSAML2HandlerRequest(httpContext, + holder.getIssuer(), documentHolder, + HANDLER_TYPE.SP); + } + + protected boolean isLogOutRequest(HTTPContext httpContext) + { + HttpServletRequest request = httpContext.getRequest(); + String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); + return isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); + } + +} \ No newline at end of file Added: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java (rev 0) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java 2009-10-27 21:08:12 UTC (rev 878) @@ -0,0 +1,195 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.identity.federation.web.process; + +import static org.jboss.identity.federation.core.util.StringUtil.isNotNull; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Set; + +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactoryConfigurationError; + +import org.jboss.identity.federation.api.saml.v2.request.SAML2Request; +import org.jboss.identity.federation.core.exceptions.ConfigurationException; +import org.jboss.identity.federation.core.exceptions.ParsingException; +import org.jboss.identity.federation.core.exceptions.ProcessingException; +import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder; +import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder; +import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil; +import org.jboss.identity.federation.saml.v2.SAML2Object; +import org.jboss.identity.federation.web.core.HTTPContext; +import org.jboss.identity.federation.web.util.HTTPRedirectUtil; +import org.jboss.identity.federation.web.util.PostBindingUtil; +import org.jboss.identity.federation.web.util.RedirectBindingUtil; +import org.w3c.dom.Document; + +/** + * Utility Class to handle processing of + * an SAML Request Message + * @author Anil.Saldhana(a)redhat.com + * @since Oct 27, 2009 + */ +public class ServiceProviderSAMLRequestProcessor extends ServiceProviderBaseProcessor +{ + + /** + * Construct + * @param postBinding Whether it is the Post Binding + * @param serviceURL Service URL of the SP + */ + public ServiceProviderSAMLRequestProcessor(boolean postBinding, String serviceURL) + { + super(postBinding,serviceURL); + } + + public boolean process(String samlRequest, HTTPContext httpContext, + Set<SAML2Handler> handlers) + throws ProcessingException, IOException, ParsingException, ConfigurationException + { + SAML2Request saml2Request = new SAML2Request(); + SAML2HandlerResponse saml2HandlerResponse = null; + SAML2Object samlObject = null; + SAMLDocumentHolder documentHolder = null; + + if(this.postBinding) + { + //we got a logout request from IDP + InputStream is = PostBindingUtil.base64DecodeAsStream(samlRequest); + samlObject = saml2Request.getSAML2ObjectFromStream(is); + } + else + { + InputStream is = RedirectBindingUtil.base64DeflateDecode(samlRequest); + samlObject = saml2Request.getSAML2ObjectFromStream(is); + } + + documentHolder = saml2Request.getSamlDocumentHolder(); + + //Create the request/response + SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(documentHolder, httpContext); + saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + + SAMLHandlerChainProcessor chainProcessor = new SAMLHandlerChainProcessor(handlers); + + chainProcessor.callHandlerChain(samlObject, saml2HandlerRequest, + saml2HandlerResponse, httpContext); + + Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); + String relayState = saml2HandlerResponse.getRelayState(); + + String destination = saml2HandlerResponse.getDestination(); + + boolean willSendRequest = saml2HandlerResponse.getSendRequest(); + + if(destination != null && + samlResponseDocument != null) + { + if(postBinding) + { + sendRequestToIDP(destination, samlResponseDocument, relayState, + httpContext.getResponse(), willSendRequest); + } + else + { + String samlMsg; + try + { + samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument); + } + catch (TransformerFactoryConfigurationError e) + { + throw new ConfigurationException(e); + } + catch (TransformerException e) + { + throw new ProcessingException(e); + } + + String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8")); + String destinationURL = destination + + getDestination(base64Request, relayState, saml2HandlerResponse.getSendRequest()); + + HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, httpContext.getResponse()); + } + return true; + } + + return false; + } + + /** + * Send the request to the IDP + * @param destination idp url + * @param samlDocument request or response document + * @param relayState + * @param response + * @param willSendRequest are we sending Request or Response to IDP + * @throws ProcessingException + * @throws ConfigurationException + */ + protected void sendRequestToIDP( + String destination, Document samlDocument,String relayState, + HttpServletResponse response, + boolean willSendRequest) + throws ProcessingException, ConfigurationException + { + try + { + String samlMessage = DocumentUtil.getDocumentAsString(samlDocument); + samlMessage = PostBindingUtil.base64Encode(samlMessage); + PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage, relayState), + response, willSendRequest); + } + catch (TransformerFactoryConfigurationError e) + { + throw new ConfigurationException(e); + } + catch (TransformerException e) + { + throw new ProcessingException(e); + } + catch (IOException e) + { + throw new ProcessingException(e); + } + } + + private String getDestination(String urlEncodedRequest, String urlEncodedRelayState, + boolean sendRequest) + { + StringBuilder sb = new StringBuilder(); + if(sendRequest) + sb.append("?SAMLRequest=").append(urlEncodedRequest); + else + sb.append("?SAMLResponse=").append(urlEncodedRequest); + if(isNotNull(urlEncodedRelayState)) + sb.append("&RelayState=").append(urlEncodedRelayState); + return sb.toString(); + } +} \ No newline at end of file Added: identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java =================================================================== --- identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java (rev 0) +++ identity-federation/trunk/jboss-identity-web/src/main/java/org/jboss/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2009-10-27 21:08:12 UTC (rev 878) @@ -0,0 +1,97 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.identity.federation.web.process; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Set; + +import org.jboss.identity.federation.api.saml.v2.response.SAML2Response; +import org.jboss.identity.federation.core.exceptions.ConfigurationException; +import org.jboss.identity.federation.core.exceptions.ParsingException; +import org.jboss.identity.federation.core.exceptions.ProcessingException; +import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder; +import org.jboss.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2Handler; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; +import org.jboss.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.jboss.identity.federation.saml.v2.SAML2Object; +import org.jboss.identity.federation.web.core.HTTPContext; +import org.jboss.identity.federation.web.util.PostBindingUtil; +import org.jboss.identity.federation.web.util.RedirectBindingUtil; + +/** + * Utility Class to handle processing of + * an SAML Request Message + * @author Anil.Saldhana(a)redhat.com + * @since Oct 27, 2009 + */ +public class ServiceProviderSAMLResponseProcessor extends ServiceProviderBaseProcessor +{ + /** + * Construct + * @param postBinding Whether it is the Post Binding + * @param serviceURL Service URL of the SP + */ + public ServiceProviderSAMLResponseProcessor(boolean postBinding, String serviceURL) + { + super(postBinding, serviceURL); + } + + public SAML2HandlerResponse process(String samlResponse, HTTPContext httpContext, + Set<SAML2Handler> handlers) + throws ProcessingException, IOException, ParsingException, ConfigurationException + { + SAML2Response saml2Response = new SAML2Response(); + SAMLDocumentHolder documentHolder = null; + SAML2Object samlObject = null; + + if(this.postBinding) + { + //we got a logout request + //deal with SAML response from IDP + InputStream is = PostBindingUtil.base64DecodeAsStream(samlResponse); + + samlObject = saml2Response.getSAML2ObjectFromStream(is); + documentHolder = saml2Response.getSamlDocumentHolder(); + } + else + { + //deal with SAML response from IDP + InputStream base64DecodedResponse = RedirectBindingUtil.base64DeflateDecode(samlResponse); + + samlObject = saml2Response.getSAML2ObjectFromStream(base64DecodedResponse); + documentHolder = saml2Response.getSamlDocumentHolder(); + } + + //Create the request/response + SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(documentHolder, httpContext); + SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + + SAMLHandlerChainProcessor chainProcessor = new SAMLHandlerChainProcessor(handlers); + + chainProcessor.callHandlerChain(samlObject, saml2HandlerRequest, + saml2HandlerResponse, httpContext); + + return saml2HandlerResponse; + } +} \ No newline at end of file