Author: anil.saldhana(a)jboss.com
Date: 2009-01-09 15:16:58 -0500 (Fri, 09 Jan 2009)
New Revision: 210
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java
identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java
Log:
some refactor
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-01-08
22:56:03 UTC (rev 209)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-01-09
20:16:58 UTC (rev 210)
@@ -26,39 +26,24 @@
import java.io.InputStream;
import java.net.URLEncoder;
import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
import javax.servlet.ServletException;
-import javax.xml.bind.JAXBElement;
-import org.apache.catalina.Context;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
-import org.apache.catalina.realm.GenericPrincipal;
import org.apache.log4j.Logger;
-import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.api.util.Base64;
import org.jboss.identity.federation.api.util.DeflateUtil;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
-import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
-import org.jboss.identity.federation.core.saml.v2.util.XMLTimeUtil;
-import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
-import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
-import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
-import org.jboss.identity.federation.saml.v2.assertion.ConditionsType;
-import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
-import org.jboss.identity.federation.saml.v2.assertion.SubjectType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
-import org.jboss.identity.federation.saml.v2.protocol.StatusType;
/**
* Authenticator at the Service Provider
@@ -71,7 +56,7 @@
public class SPRedirectFormAuthenticator extends FormAuthenticator
{
private static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
-
+
private String serviceURL = null;
private String identityURL = null;
@@ -147,9 +132,8 @@
SAML2Request saml2Request = new SAML2Request();
- AuthnRequestType authnRequest = saml2Request.createAuthnRequestType(
- IDGenerator.create("ID_"), serviceURL,
- identityURL, serviceURL);
+ SPUtil spUtil = new SPUtil();
+ AuthnRequestType authnRequest = spUtil.createSAMLRequest(serviceURL, identityURL);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
saml2Request.marshall(authnRequest, baos);
@@ -166,8 +150,7 @@
HTTPRedirectUtil.sendRedirect(destination, response);
return;
}
-
- @SuppressWarnings("unchecked")
+
private Principal process(Request request, Response response) throws Exception
{
Principal userPrincipal = null;
@@ -182,50 +165,10 @@
SAML2Response saml2Response = new SAML2Response();
ResponseType responseType = saml2Response.getResponseType(is);
- StatusType statusType = responseType.getStatus();
- if(statusType == null)
- throw new Exception("Status Type from the IDP is null");
-
- String statusValue = statusType.getStatusCode().getValue();
- if(JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) == false)
- throw new SecurityException("IDP forbid the user");
-
- AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
- //Check for validity of assertion
- ConditionsType conditionsType = assertion.getConditions();
- if(conditionsType != null)
- {
- boolean isValidAssertion = XMLTimeUtil.isValid(XMLTimeUtil.getIssueInstant(),
- conditionsType.getNotBefore(), conditionsType.getNotOnOrAfter());
- if(isValidAssertion == false)
- throw new AssertionExpiredException();
- }
- SubjectType subject = assertion.getSubject();
- JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>)
subject.getContent().get(0);
- NameIDType nameID = jnameID.getValue();
- String userName = nameID.getValue();
- List<String> roles = new ArrayList<String>();
-
- //Let us get the roles
- AttributeStatementType attributeStatement = (AttributeStatementType)
assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0);
- List<Object> attList =
attributeStatement.getAttributeOrEncryptedAttribute();
- for(Object obj:attList)
- {
- AttributeType attr = (AttributeType) obj;
- String roleName = (String) attr.getAttributeValue().get(0);
- roles.add(roleName);
- }
-
- userPrincipal = this.createGenericPrincipal(request, userName, roles);
+ SPUtil spUtil = new SPUtil();
+ return spUtil.handleSAMLResponse(request, responseType);
}
return userPrincipal;
- }
-
-
- private Principal createGenericPrincipal(Request request, String username,
List<String> roles)
- {
- Context ctx = request.getContext();
- return new GenericPrincipal(ctx.getRealm(), username, null, roles);
- }
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java 2009-01-08
22:56:03 UTC (rev 209)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java 2009-01-09
20:16:58 UTC (rev 210)
@@ -26,18 +26,13 @@
import java.io.InputStream;
import java.net.URLEncoder;
import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
import javax.servlet.ServletException;
-import javax.xml.bind.JAXBElement;
-import org.apache.catalina.Context;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
-import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
@@ -46,15 +41,8 @@
import org.jboss.identity.federation.api.util.Base64;
import org.jboss.identity.federation.api.util.DeflateUtil;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
-import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
-import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
-import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
-import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
-import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
-import org.jboss.identity.federation.saml.v2.assertion.SubjectType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
-import org.jboss.identity.federation.saml.v2.protocol.StatusType;
/**
* Valve at the Service Provider for the HTTP/Redirect binding
@@ -76,9 +64,8 @@
public void setServiceURL(String url)
{
this.serviceURL = url;
- }
-
- @SuppressWarnings("unchecked")
+ }
+
@Override
public void invoke(Request request, Response response) throws IOException,
ServletException
{
@@ -98,33 +85,11 @@
SAML2Response saml2Response = new SAML2Response();
ResponseType responseType = saml2Response.getResponseType(is);
- StatusType statusType = responseType.getStatus();
- if(statusType == null)
- throw new Exception("Status Type from the IDP is null");
-
- String statusValue = statusType.getStatusCode().getValue();
- if(JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) ==
false)
- throw new SecurityException("IDP forbid the user");
-
- AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
- SubjectType subject = assertion.getSubject();
- JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>)
subject.getContent().get(0);
- NameIDType nameID = jnameID.getValue();
- String userName = nameID.getValue();
- List<String> roles = new ArrayList<String>();
-
- //Let us get the roles
- AttributeStatementType attributeStatement = (AttributeStatementType)
assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0);
- List<Object> attList =
attributeStatement.getAttributeOrEncryptedAttribute();
- for(Object obj:attList)
- {
- AttributeType attr = (AttributeType) obj;
- String roleName = (String) attr.getAttributeValue().get(0);
- roles.add(roleName);
- }
-
-
- Principal idpPrincipal = this.createGenericPrincipal(request, userName,
roles);
+
+
+ SPUtil spUtil = new SPUtil();
+ Principal idpPrincipal = spUtil.handleSAMLResponse(request,
responseType);
+
Session session = request.getSessionInternal(true);
session.setNote(Constants.REQ_SSOID_NOTE, IDGenerator.create());
request.setUserPrincipal(idpPrincipal);
@@ -136,11 +101,10 @@
if(this.serviceURL == null)
throw new ServletException("serviceURL is not configured");
+ SPUtil spUtil = new SPUtil();
SAML2Request saml2Request = new SAML2Request();
- AuthnRequestType authnRequest = saml2Request.createAuthnRequestType(
- IDGenerator.create("ID_"), serviceURL,
- identityURL, serviceURL);
+ AuthnRequestType authnRequest = spUtil.createSAMLRequest(serviceURL,
identityURL);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
saml2Request.marshall(authnRequest, baos);
@@ -175,10 +139,4 @@
response.recycle();
getNext().invoke(request, response);
}
-
- private Principal createGenericPrincipal(Request request, String username,
List<String> roles)
- {
- Context ctx = request.getContext();
- return new GenericPrincipal(ctx.getRealm(), username, null, roles);
- }
}
\ No newline at end of file
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java
(rev 0)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java 2009-01-09
20:16:58 UTC (rev 210)
@@ -0,0 +1,131 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.identity.federation.bindings.tomcat.sp;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.JAXBElement;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
+import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
+import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
+import org.jboss.identity.federation.core.saml.v2.util.XMLTimeUtil;
+import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
+import org.jboss.identity.federation.saml.v2.assertion.ConditionsType;
+import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
+import org.jboss.identity.federation.saml.v2.assertion.SubjectType;
+import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.jboss.identity.federation.saml.v2.protocol.StatusType;
+
+/**
+ * Common code useful for a SP
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Jan 9, 2009
+ */
+public class SPUtil
+{
+ /**
+ * Create a SAML2 auth request
+ * @param serviceURL URL of the service
+ * @param identityURL URL of the identity provider
+ * @return
+ * @throws Exception
+ */
+ public AuthnRequestType createSAMLRequest(String serviceURL, String identityURL)
throws Exception
+ {
+ if(serviceURL == null)
+ throw new IllegalArgumentException("serviceURL is null");
+ if(identityURL == null)
+ throw new IllegalArgumentException("identityURL is null");
+
+ SAML2Request saml2Request = new SAML2Request();
+ String id = IDGenerator.create("ID_");
+ return saml2Request.createAuthnRequestType(id, serviceURL, identityURL,
serviceURL);
+ }
+
+ /**
+ * Handle the SAMLResponse from the IDP
+ * @param request entire request from IDP
+ * @param responseType ResponseType that has been generated
+ * @return
+ * @throws Exception
+ */
+ @SuppressWarnings("unchecked")
+ public Principal handleSAMLResponse(Request request, ResponseType responseType) throws
Exception
+ {
+ if(request == null)
+ throw new IllegalArgumentException("request is null");
+ if(responseType == null)
+ throw new IllegalArgumentException("response type is null");
+
+ StatusType statusType = responseType.getStatus();
+ if(statusType == null)
+ throw new Exception("Status Type from the IDP is null");
+
+ String statusValue = statusType.getStatusCode().getValue();
+ if(JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) == false)
+ throw new SecurityException("IDP forbid the user");
+
+ AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
+ //Check for validity of assertion
+ ConditionsType conditionsType = assertion.getConditions();
+ if(conditionsType != null)
+ {
+ boolean isValidAssertion = XMLTimeUtil.isValid(XMLTimeUtil.getIssueInstant(),
+ conditionsType.getNotBefore(), conditionsType.getNotOnOrAfter());
+ if(isValidAssertion == false)
+ throw new AssertionExpiredException();
+ }
+
+ SubjectType subject = assertion.getSubject();
+ JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>)
subject.getContent().get(0);
+ NameIDType nameID = jnameID.getValue();
+ String userName = nameID.getValue();
+ List<String> roles = new ArrayList<String>();
+
+ //Let us get the roles
+ AttributeStatementType attributeStatement = (AttributeStatementType)
assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0);
+ List<Object> attList =
attributeStatement.getAttributeOrEncryptedAttribute();
+ for(Object obj:attList)
+ {
+ AttributeType attr = (AttributeType) obj;
+ String roleName = (String) attr.getAttributeValue().get(0);
+ roles.add(roleName);
+ }
+ return this.createGenericPrincipal(request, userName, roles);
+ }
+
+ private Principal createGenericPrincipal(Request request, String username,
List<String> roles)
+ {
+ Context ctx = request.getContext();
+ return new GenericPrincipal(ctx.getRealm(), username, null, roles);
+ }
+}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java
===================================================================
---
identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java 2009-01-08
22:56:03 UTC (rev 209)
+++
identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java 2009-01-09
20:16:58 UTC (rev 210)
@@ -25,12 +25,15 @@
import java.io.OutputStream;
import java.io.Writer;
+import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller;
import
org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLAuthnRequestFactory;
+import
org.jboss.identity.federation.saml.v2.profiles.xacml.protocol.XACMLAuthzDecisionQueryType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType;
/**
* API for SAML2 Request
@@ -39,6 +42,15 @@
*/
public class SAML2Request
{
+ /**
+ * Create an authentication request
+ * @param id
+ * @param assertionConsumerURL
+ * @param destination
+ * @param issuerValue
+ * @return
+ * @throws Exception
+ */
public AuthnRequestType createAuthnRequestType(String id,
String assertionConsumerURL,
String destination,
@@ -83,6 +95,48 @@
}
/**
+ * Parse an XACML Authorization Decision Query from an xml file
+ * @param resourceName
+ * @return
+ * @throws Exception
+ */
+ public XACMLAuthzDecisionQueryType parseXACMLDecisionQuery(String resourceName) throws
Exception
+ {
+ ClassLoader tcl = SecurityActions.getContextClassLoader();
+ InputStream is = tcl.getResourceAsStream(resourceName);
+ return this.parseXACMLDecisionQuery(is);
+ }
+
+ /**
+ * XACMLAuthorizationDecisionQuery from an input stream
+ * @param is The InputStream where the xacml query exists
+ * @return
+ * @throws Exception
+ */
+ @SuppressWarnings("unchecked")
+ public XACMLAuthzDecisionQueryType parseXACMLDecisionQuery(InputStream is) throws
Exception
+ {
+ if(is == null)
+ throw new IllegalArgumentException("Inputstream is null");
+
+ String samlPath = "org.jboss.identity.federation.saml.v2.protocol";
+ String xacmlPath = "org.jboss.security.xacml.core.model.context";
+ String xsAssert =
"org.jboss.identity.federation.saml.v2.profiles.xacml.assertion";
+ String xsProto =
"org.jboss.identity.federation.saml.v2.profiles.xacml.protocol";
+ String path = samlPath + ":" + xacmlPath + ":" + xsAssert +
":" + xsProto;
+
+ JAXBContext jaxb = JAXBContext.newInstance(path);
+ Unmarshaller un = jaxb.createUnmarshaller();
+
+ JAXBElement<RequestAbstractType> jaxbRequestType =
(JAXBElement<RequestAbstractType>) un.unmarshal(is);
+ RequestAbstractType req = jaxbRequestType.getValue();
+ if(req instanceof XACMLAuthzDecisionQueryType == false)
+ throw new IllegalStateException("Not of type
XACMLAuthzDecisionQueryType");
+
+ return (XACMLAuthzDecisionQueryType) req;
+ }
+
+ /**
* Marshall the AuthnRequestType to an output stream
* @param requestType
* @param os