Author: anil.saldhana(a)jboss.com
Date: 2008-12-12 17:40:02 -0500 (Fri, 12 Dec 2008)
New Revision: 160
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/
Log:
bindings
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
(rev 0)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2008-12-12
22:40:02 UTC (rev 160)
@@ -0,0 +1,214 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.identity.federation.bindings.tomcat.idp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.net.URLEncoder;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.Role;
+import org.apache.catalina.User;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.catalina.valves.ValveBase;
+import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLAuthnRequestFactory;
+import
org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLAuthnResponseFactory;
+import org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLBaseFactory;
+import org.jboss.identity.federation.api.util.Base64;
+import org.jboss.identity.federation.api.util.DeflateUtil;
+import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
+import org.jboss.identity.federation.saml.v2.jboss.IDPInfoHolder;
+import org.jboss.identity.federation.saml.v2.jboss.IssuerInfoHolder;
+import org.jboss.identity.federation.saml.v2.jboss.JBossSAMLURIConstants;
+import org.jboss.identity.federation.saml.v2.jboss.SPInfoHolder;
+import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+
+/**
+ * Valve at the IDP that supports the HTTP/Redirect Binding
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Dec 9, 2008
+ */
+public class IDPRedirectValve extends ValveBase
+{
+ private static Logger log = Logger.getLogger(IDPRedirectValve.class);
+
+ private String identityURL = null;
+
+ public void setIdentityURL(String url)
+ {
+ this.identityURL = url;
+ }
+
+ @Override
+ public void invoke(Request request, Response response) throws IOException,
ServletException
+ {
+ //request.setCharacterEncoding("UTF-8");
+
+ boolean containsSAMLRequestMessage = this.isSAMLRequestMessage(request);
+
+ //Lets check if the user has been authenticated
+ Principal userPrincipal = request.getUserPrincipal();
+ if(userPrincipal == null)
+ {
+ //Send it for user authentication
+ try
+ {
+ //Next in the invocation chain
+ getNext().invoke(request, response);
+ }
+ finally
+ {
+ //TODO: send saml error
+ if(response.getStatus() == HttpServletResponse.SC_FORBIDDEN)
+ throw new RuntimeException("Unauthorized User");
+
+ //User is authenticated as we are on the return path
+ userPrincipal = request.getUserPrincipal();
+ if(userPrincipal != null)
+ {
+ //Send valid saml response after processing the request
+ if(containsSAMLRequestMessage)
+ {
+ try
+ {
+ ResponseType responseType = this.getResponse(request,
userPrincipal);
+ StringWriter stringWriter = new StringWriter();
+ JBossSAMLAuthnResponseFactory.marshall(responseType, stringWriter);
+
+ String responseMessage = stringWriter.toString();
+
+ //Deflate encoding
+ byte[] deflatedMsg = DeflateUtil.encode(responseMessage);
+
+ String base64Response = Base64.encodeBytes(deflatedMsg,
Base64.DONT_BREAK_LINES);
+
+ String destination = responseType.getDestination();
+ log.trace("IDP:Destination=" + destination);
+ base64Response = URLEncoder.encode(base64Response,
"UTF-8");
+ response.sendRedirect(destination + "?SAMLResponse=" +
base64Response);
+ }
+ catch (Exception e)
+ {
+ log.error("Exception:" ,e);
+ throw new ServletException(e.getLocalizedMessage());
+ }
+ }
+ }
+ }
+ }
+ }
+
+ private boolean isSAMLRequestMessage(Request request)
+ {
+ return request.getParameter("SAMLRequest") != null;
+ }
+
+ private ResponseType getResponse(Request request, Principal userPrincipal) throws
Exception
+ {
+ ResponseType responseType = null;
+
+ byte[] decodedMessage = Base64.decode(getSAMLMessage(request));
+
+ InputStream is = DeflateUtil.decode(decodedMessage);
+ AuthnRequestType authnRequestType =
JBossSAMLAuthnRequestFactory.getAuthnRequestType(is);
+ if(authnRequestType == null)
+ throw new IllegalStateException("AuthnRequest is null");
+
+ JBossSAMLAuthnRequestFactory.marshall(authnRequestType, System.out);
+
+ //Create a response type
+ String id = "ID_" + JBossSAMLBaseFactory.createUUID();
+
+ IssuerInfoHolder issuerHolder = new IssuerInfoHolder(this.identityURL);
+ issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
+
+ IDPInfoHolder idp = new IDPInfoHolder();
+ idp.setNameIDFormatValue(userPrincipal.getName());
+ idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
+
+ SPInfoHolder sp = new SPInfoHolder();
+ sp.setResponseDestinationURI(authnRequestType.getAssertionConsumerServiceURL());
+ responseType = JBossSAMLAuthnResponseFactory.createResponseType(id, sp, idp,
issuerHolder);
+ //Add information on the roles
+ List<String> roles = getRoles(userPrincipal);
+ AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
+
+ AttributeStatementType attrStatement =
JBossSAMLBaseFactory.createAttributeStatement();
+ for(String role: roles)
+ {
+ AttributeType attr = JBossSAMLBaseFactory.createAttributeForRole(role);
+ attrStatement.getAttributeOrEncryptedAttribute().add(attr);
+ }
+
assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attrStatement);
+
+ log.debug("ResponseType = ");
+ //Lets see how the response looks like
+ JBossSAMLAuthnResponseFactory.marshall(responseType, System.out);
+
+ return responseType;
+ }
+
+ private List<String> getRoles(Principal tomcatPrincipal)
+ {
+ List<String> userRoles = new ArrayList<String>();
+
+ if(tomcatPrincipal instanceof GenericPrincipal)
+ {
+ GenericPrincipal gp = (GenericPrincipal) tomcatPrincipal;
+ String[] roles = gp.getRoles();
+ if(roles.length > 0)
+ userRoles.addAll(Arrays.asList(roles));
+ }
+ else
+ if(tomcatPrincipal instanceof User)
+ {
+ User tomcatUser = (User) tomcatPrincipal;
+ Iterator<?> iter = tomcatUser.getRoles();
+ while(iter.hasNext())
+ {
+ Role tomcatRole = (Role) iter.next();
+ userRoles.add(tomcatRole.getRolename());
+ }
+ }
+ return userRoles;
+ }
+
+
+ private String getSAMLMessage(Request request)
+ {
+ return request.getParameter("SAMLRequest");
+ }
+}
\ No newline at end of file
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
(rev 0)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2008-12-12
22:40:02 UTC (rev 160)
@@ -0,0 +1,216 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.identity.federation.bindings.tomcat.sp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URLEncoder;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.xml.bind.JAXBElement;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.Constants;
+import org.apache.catalina.authenticator.FormAuthenticator;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.exceptions.AssertionExpiredException;
+import org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLAuthnRequestFactory;
+import
org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLAuthnResponseFactory;
+import org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLBaseFactory;
+import org.jboss.identity.federation.api.util.Base64;
+import org.jboss.identity.federation.api.util.DeflateUtil;
+import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
+import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
+import org.jboss.identity.federation.saml.v2.assertion.SubjectType;
+import org.jboss.identity.federation.saml.v2.jboss.JBossSAMLURIConstants;
+import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.jboss.identity.federation.saml.v2.protocol.StatusType;
+
+/**
+ * Authenticator at the Service Provider
+ * that handles HTTP/Redirect binding of SAML 2
+ * but falls back on Form Authentication
+ *
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Dec 12, 2008
+ */
+public class SPRedirectFormAuthenticator extends FormAuthenticator
+{
+ private static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
+
+ private String serviceURL = null;
+ private String identityURL = null;
+
+ public void setIdentityURL(String url)
+ {
+ this.identityURL = url;
+ }
+
+ public void setServiceURL(String url)
+ {
+ this.serviceURL = url;
+ }
+
+ @Override
+ public boolean authenticate(Request request, Response response, LoginConfig
loginConfig) throws IOException
+ {
+ Principal principal = request.getUserPrincipal();
+ if (principal != null)
+ {
+ log.debug("Already authenticated '" + principal.getName() +
"'");
+ return true;
+ }
+
+ Session session = request.getSessionInternal(true);
+
+ //Try to get the username
+ try
+ {
+ Principal p = process(request,response);
+ if(p == null)
+ {
+ createSAMLRequestMessage("someuser", response);
+ return false;
+ }
+ String username = p.getName();
+ String password = "FED_IDENTITY";
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ request.setUserPrincipal(p);
+ register(request, response, p, Constants.FORM_METHOD, username, password);
+ return true;
+ }
+ catch(AssertionExpiredException aie)
+ {
+ log.debug("Assertion has expired. Issuing a new saml2 request to the
IDP");
+ try
+ {
+ createSAMLRequestMessage("someuser", response);
+ }
+ catch (Exception e)
+ {
+ log.trace("Exception:",e);
+ e.printStackTrace();
+ }
+ return false;
+ }
+ catch(Exception e)
+ {
+ log.debug("Exception :",e);
+ e.printStackTrace();
+ }
+
+ //fallback
+ return super.authenticate(request, response, loginConfig);
+ }
+
+ private void createSAMLRequestMessage(String username, Response response)
+ throws Exception
+ {
+ //create a saml request
+ if(this.serviceURL == null)
+ throw new ServletException("serviceURL is not configured");
+
+ AuthnRequestType authnRequest =
JBossSAMLAuthnRequestFactory.createAuthnRequestType(
+ "ID_" + JBossSAMLBaseFactory.createUUID(), serviceURL,
+ identityURL, serviceURL);
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ JBossSAMLAuthnRequestFactory.marshall(authnRequest, baos);
+
+ //Deflate encoding
+ byte[] deflatedMsg = DeflateUtil.encode(baos.toByteArray());
+
+ String base64Request = Base64.encodeBytes(deflatedMsg, Base64.DONT_BREAK_LINES);
+
+ base64Request = URLEncoder.encode(base64Request, "UTF-8");
+ String destination = authnRequest.getDestination() + "?SAMLRequest=" +
base64Request;
+ log.debug("Sending to destination="+destination);
+ response.setCharacterEncoding("UTF-8");
+ response.setHeader("Location", destination);
+ response.setStatus(Response.SC_MOVED_TEMPORARILY);
+ response.sendRedirect(destination);
+ return;
+ }
+
+ @SuppressWarnings("unchecked")
+ private Principal process(Request request, Response response) throws Exception
+ {
+ Principal userPrincipal = null;
+
+ String samlResponse = request.getParameter("SAMLResponse");
+ if(samlResponse != null && samlResponse.length() > 0 )
+ {
+ //deal with saml response from IDP
+ byte[] base64DecodedResponse = Base64.decode(samlResponse);
+ InputStream is = DeflateUtil.decode(base64DecodedResponse);
+
+ ResponseType responseType = JBossSAMLAuthnResponseFactory.getResponseType(is);
+ StatusType statusType = responseType.getStatus();
+ if(statusType == null)
+ throw new Exception("Status Type from the IDP is null");
+
+ String statusValue = statusType.getStatusCode().getValue();
+ if(JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) == false)
+ throw new SecurityException("IDP forbid the user");
+
+ AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
+ SubjectType subject = assertion.getSubject();
+ JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>)
subject.getContent().get(0);
+ NameIDType nameID = jnameID.getValue();
+ String userName = nameID.getValue();
+ List<String> roles = new ArrayList<String>();
+
+ //Let us get the roles
+ AttributeStatementType attributeStatement = (AttributeStatementType)
assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0);
+ List<Object> attList =
attributeStatement.getAttributeOrEncryptedAttribute();
+ for(Object obj:attList)
+ {
+ AttributeType attr = (AttributeType) obj;
+ String roleName = (String) attr.getAttributeValue().get(0);
+ roles.add(roleName);
+ }
+
+ userPrincipal = this.createGenericPrincipal(request, userName, roles);
+ }
+ return userPrincipal;
+ }
+
+
+ private Principal createGenericPrincipal(Request request, String username,
List<String> roles)
+ {
+ Context ctx = request.getContext();
+ return new GenericPrincipal(ctx.getRealm(), username, null, roles);
+ }
+}
\ No newline at end of file
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java
(rev 0)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectValve.java 2008-12-12
22:40:02 UTC (rev 160)
@@ -0,0 +1,181 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.identity.federation.bindings.tomcat.sp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URLEncoder;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.xml.bind.JAXBElement;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.Constants;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.catalina.valves.ValveBase;
+import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLAuthnRequestFactory;
+import
org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLAuthnResponseFactory;
+import org.jboss.identity.federation.api.saml.v2.factories.JBossSAMLBaseFactory;
+import org.jboss.identity.federation.api.util.Base64;
+import org.jboss.identity.federation.api.util.DeflateUtil;
+import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
+import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
+import org.jboss.identity.federation.saml.v2.assertion.SubjectType;
+import org.jboss.identity.federation.saml.v2.jboss.JBossSAMLURIConstants;
+import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.jboss.identity.federation.saml.v2.protocol.StatusType;
+
+/**
+ * Valve at the Service Provider for the HTTP/Redirect binding
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Dec 11, 2008
+ */
+public class SPRedirectValve extends ValveBase
+{
+ private static Logger log = Logger.getLogger(SPRedirectValve.class);
+
+ private String serviceURL = null;
+ private String identityURL = null;
+
+ public void setIdentityURL(String url)
+ {
+ this.identityURL = url;
+ }
+
+ public void setServiceURL(String url)
+ {
+ this.serviceURL = url;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public void invoke(Request request, Response response) throws IOException,
ServletException
+ {
+ try
+ {
+ //Lets check if the user has been authenticated
+ Principal userPrincipal = request.getUserPrincipal();
+ if(userPrincipal == null)
+ {
+ String samlResponse = request.getParameter("SAMLResponse");
+ if(samlResponse != null && samlResponse.length() > 0 )
+ {
+ //deal with saml response from IDP
+ byte[] base64DecodedResponse = Base64.decode(samlResponse);
+ InputStream is = DeflateUtil.decode(base64DecodedResponse);
+
+ ResponseType responseType =
JBossSAMLAuthnResponseFactory.getResponseType(is);
+ StatusType statusType = responseType.getStatus();
+ if(statusType == null)
+ throw new Exception("Status Type from the IDP is null");
+
+ String statusValue = statusType.getStatusCode().getValue();
+ if(JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) ==
false)
+ throw new SecurityException("IDP forbid the user");
+
+ AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
+ SubjectType subject = assertion.getSubject();
+ JAXBElement<NameIDType> jnameID = (JAXBElement<NameIDType>)
subject.getContent().get(0);
+ NameIDType nameID = jnameID.getValue();
+ String userName = nameID.getValue();
+ List<String> roles = new ArrayList<String>();
+
+ //Let us get the roles
+ AttributeStatementType attributeStatement = (AttributeStatementType)
assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(0);
+ List<Object> attList =
attributeStatement.getAttributeOrEncryptedAttribute();
+ for(Object obj:attList)
+ {
+ AttributeType attr = (AttributeType) obj;
+ String roleName = (String) attr.getAttributeValue().get(0);
+ roles.add(roleName);
+ }
+
+
+ Principal idpPrincipal = this.createGenericPrincipal(request, userName,
roles);
+ Session session = request.getSessionInternal(true);
+ session.setNote(Constants.REQ_SSOID_NOTE,
JBossSAMLBaseFactory.createUUID());
+ request.setUserPrincipal(idpPrincipal);
+ session.setPrincipal(idpPrincipal);
+ }
+ else
+ {
+ //create a saml request
+ if(this.serviceURL == null)
+ throw new ServletException("serviceURL is not configured");
+
+ AuthnRequestType authnRequest =
JBossSAMLAuthnRequestFactory.createAuthnRequestType(
+ "ID_" + JBossSAMLBaseFactory.createUUID(), serviceURL,
+ identityURL, serviceURL);
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ JBossSAMLAuthnRequestFactory.marshall(authnRequest, baos);
+
+ //Deflate encoding
+ byte[] deflatedMsg = DeflateUtil.encode(baos.toByteArray());
+
+ String base64Request = Base64.encodeBytes(deflatedMsg,
Base64.DONT_BREAK_LINES);
+
+ base64Request = URLEncoder.encode(base64Request, "UTF-8");
+ String destination = authnRequest.getDestination() +
"?SAMLRequest=" + base64Request;
+ log.trace("Sending to destination="+destination);
+ log.trace("
");
+ response.setCharacterEncoding("UTF-8");
+ response.setHeader("Location", destination);
+ response.setStatus(Response.SC_MOVED_TEMPORARILY);
+ response.sendRedirect(destination);
+ return;
+ }
+ }
+ }
+ catch(SecurityException e)
+ {
+ log.error("Security Exception:",e);
+ response.sendError(Response.SC_FORBIDDEN);
+ }
+ catch(Exception e)
+ {
+ log.error("Exception:",e);
+ response.sendError(Response.SC_INTERNAL_SERVER_ERROR, "Server
Error");
+ }
+
+ //the user is already authenticated
+ response.recycle();
+ getNext().invoke(request, response);
+ }
+
+ private Principal createGenericPrincipal(Request request, String username,
List<String> roles)
+ {
+ Context ctx = request.getContext();
+ return new GenericPrincipal(ctx.getRealm(), username, null, roles);
+ }
+}
\ No newline at end of file