Author: anil.saldhana(a)jboss.com
Date: 2009-08-13 20:20:17 -0400 (Thu, 13 Aug 2009)
New Revision: 693
Added:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java
Log:
JBID-164: use dom
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/jboss/wstrust/JBossSTS.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -33,6 +33,7 @@
import javax.xml.ws.WebServiceException;
import javax.xml.ws.WebServiceProvider;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.wstrust.STSConfiguration;
import org.jboss.identity.federation.api.wstrust.SecurityTokenService;
import org.jboss.identity.federation.api.wstrust.WSTrustConstants;
@@ -41,12 +42,14 @@
import org.jboss.identity.federation.api.wstrust.WSTrustRequestHandler;
import org.jboss.identity.federation.bindings.config.STSType;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.core.wstrust.BaseRequestSecurityToken;
import org.jboss.identity.federation.core.wstrust.RequestSecurityToken;
import org.jboss.identity.federation.core.wstrust.RequestSecurityTokenCollection;
import org.jboss.identity.federation.core.wstrust.RequestSecurityTokenResponse;
import
org.jboss.identity.federation.core.wstrust.RequestSecurityTokenResponseCollection;
+import org.w3c.dom.Document;
/**
* <p>
@@ -72,7 +75,16 @@
*/
public Source invoke(Source request)
{
- BaseRequestSecurityToken baseRequest =
WSTrustJAXBFactory.getInstance().parseRequestSecurityToken(request);
+ BaseRequestSecurityToken baseRequest;
+ try
+ {
+ baseRequest =
WSTrustJAXBFactory.getInstance().parseRequestSecurityToken(request);
+ }
+ catch (ParsingException e)
+ {
+ throw new RuntimeException(e);
+ }
+
if (baseRequest instanceof RequestSecurityToken)
return this.handleTokenRequest((RequestSecurityToken) baseRequest);
else if (baseRequest instanceof RequestSecurityTokenCollection)
@@ -92,6 +104,13 @@
*/
protected Source handleTokenRequest(RequestSecurityToken request)
{
+ SAMLDocumentHolder holder =
WSTrustJAXBFactory.getInstance().getSAMLDocumentHolderOnThread();
+
+ /**
+ * The RST Document is very important for XML Signatures
+ */
+ request.setRSTDocument(holder.getSamlDocument());
+
if(this.config == null)
try
{
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -38,6 +38,7 @@
import javax.crypto.SecretKey;
+import org.apache.log4j.Logger;
import org.jboss.identity.federation.bindings.config.AuthPropertyType;
import org.jboss.identity.federation.bindings.config.KeyValueType;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyConfigurationException;
@@ -45,7 +46,7 @@
import org.jboss.identity.federation.bindings.interfaces.TrustKeyProcessingException;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.bindings.util.cert.EncryptionKeyUtil;
-import org.jboss.identity.federation.bindings.util.cert.KeyStoreUtil;
+import org.jboss.identity.federation.bindings.util.cert.KeyStoreUtil;
/**
* KeyStore based Trust Key Manager
@@ -64,6 +65,8 @@
*/
private final Map<String,SecretKey> keys = new
HashMap<String,SecretKey>();
+ private static Logger log = Logger.getLogger(KeyStoreKeyManager.class);
+
private final HashMap<String,String> domainAliasMap = new
HashMap<String,String>();
private final HashMap<String,String> authPropsMap = new
HashMap<String,String>();
@@ -185,6 +188,8 @@
public PublicKey getPublicKey(String alias)
throws TrustKeyConfigurationException, TrustKeyProcessingException
{
+ PublicKey publicKey = null;
+
try
{
if(ks == null)
@@ -192,7 +197,13 @@
if(ks == null)
throw new IllegalStateException("KeyStore is null");
- return ks.getCertificate(alias).getPublicKey();
+ Certificate cert = ks.getCertificate(alias);
+ if(cert != null)
+ publicKey = cert.getPublicKey();
+ else
+ log.debug("No public key found for alias=" + alias);
+
+ return publicKey;
}
catch (KeyStoreException e)
{
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -267,7 +267,7 @@
return request.getParameter("SAMLRequest") != null;
}
- private RequestAbstractType getSAMLRequest(Request request) throws JAXBException,
SAXException
+ private RequestAbstractType getSAMLRequest(Request request) throws ParsingException,
IOException
{
String samlMessage = getSAMLMessage(request);
InputStream is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -57,7 +57,7 @@
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType;
-import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
/**
* Generic Web Browser SSO valve for the IDP
@@ -149,23 +149,24 @@
}
- IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request,
idpConfiguration);
+ IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration,
keyManager);
+ Document samlErrorResponse = null;
//Look for unauthorized status
if(response.getStatus() == HttpServletResponse.SC_FORBIDDEN)
{
try
{
- ResponseType errorResponseType =
+ samlErrorResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
if(this.signOutgoingMessages)
- webRequestUtil.send(errorResponseType, relayState, response, true,
+ webRequestUtil.send(samlErrorResponse, referer, relayState, response,
true,
this.keyManager.getSigningKey());
else
- webRequestUtil.send(errorResponseType, relayState, response, false,null);
+ webRequestUtil.send(samlErrorResponse, referer,relayState, response,
false,null);
}
catch (GeneralSecurityException e)
@@ -206,9 +207,9 @@
if(samlMessage != null)
{
//Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
- ResponseType responseType = null;
-
+ RequestAbstractType requestAbstractType = null;
+ Document samlResponse = null;
+ String destination = null;
try
{
requestAbstractType = webRequestUtil.getSAMLRequest(samlMessage);
@@ -226,60 +227,62 @@
log.trace("Roles have been determined:Creating response");
AuthnRequestType art = (AuthnRequestType) requestAbstractType;
- responseType =
- webRequestUtil.getResponse(art.getAssertionConsumerServiceURL(),
+ destination = art.getAssertionConsumerServiceURL();
+
+ samlResponse =
+ webRequestUtil.getResponse(destination,
userPrincipal, roles,
- this.identityURL, this.assertionValidity);
+ this.identityURL, this.assertionValidity,
this.signOutgoingMessages);
}
catch (IssuerNotTrustedException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch (ParsingException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch (ConfigurationException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch (IssueInstantMissingException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
catch(GeneralSecurityException e)
{
log.trace(e);
- responseType =
+ samlResponse =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
}
finally
{
try
{
if(this.signOutgoingMessages)
- webRequestUtil.send(responseType, relayState, response, true,
+ webRequestUtil.send(samlResponse, destination,relayState,
response, true,
this.keyManager.getSigningKey());
else
- webRequestUtil.send(responseType, relayState, response,
false,null);
+ webRequestUtil.send(samlResponse, destination, relayState,
response, false,null);
}
catch (ParsingException e)
{
@@ -314,16 +317,16 @@
{
log.trace("About to send error response to SP:" + referrer);
- ResponseType errorResponseType =
+ Document samlResponse =
webRequestUtil.getErrorResponse(referrer,
JBossSAMLURIConstants.STATUS_RESPONDER.get(),
- this.identityURL);
+ this.identityURL, this.signOutgoingMessages);
try
{
if(this.signOutgoingMessages)
- webRequestUtil.send(errorResponseType, relayState, response, true,
+ webRequestUtil.send(samlResponse, referrer, relayState, response, true,
this.keyManager.getSigningKey());
else
- webRequestUtil.send(errorResponseType, relayState, response, false,null);
+ webRequestUtil.send(samlResponse, referrer, relayState, response,
false,null);
}
catch (ParsingException e1)
{
@@ -461,6 +464,9 @@
if(this.signOutgoingMessages)
{
KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
+ if(keyProvider == null)
+ throw new LifecycleException("Key Provider is null for context=" +
context.getName());
+
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPWebRequestUtil.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -22,7 +22,6 @@
package org.jboss.identity.federation.bindings.tomcat.idp;
import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
@@ -35,16 +34,21 @@
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.JAXBException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactoryConfigurationError;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
+import org.jboss.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.jboss.identity.federation.bindings.config.IDPType;
import org.jboss.identity.federation.bindings.config.TrustType;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
import org.jboss.identity.federation.bindings.util.RedirectBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
@@ -56,11 +60,13 @@
import org.jboss.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.jboss.identity.federation.core.saml.v2.holders.SPInfoHolder;
+import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
@@ -79,35 +85,29 @@
private boolean postProfile = false;
private IDPType idpConfiguration;
+ private TrustKeyManager keyManager;
- public IDPWebRequestUtil(HttpServletRequest request, IDPType idp)
+ public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager
keym)
{
this.request = request;
this.idpConfiguration = idp;
- hasSAMLRequestInRedirectProfile();
- hasSAMLRequestInPostProfile();
+ this.keyManager = keym;
+ this.redirectProfile = "GET".equals(request.getMethod());
+ this.postProfile = "POST".equals(request.getMethod());
}
public boolean hasSAMLRequestInRedirectProfile()
{
- if("GET".equalsIgnoreCase(request.getMethod()))
- {
- redirectProfile = request.getParameter("SAMLRequest") != null;
- }
- return redirectProfile;
+ return redirectProfile;
}
public boolean hasSAMLRequestInPostProfile()
{
- if("POST".equalsIgnoreCase(request.getMethod()))
- {
- postProfile = request.getParameter("SAMLRequest") != null;
- }
return postProfile;
}
public RequestAbstractType getSAMLRequest(String samlMessage)
- throws ParsingException
+ throws ParsingException, IOException
{
InputStream is = null;
SAML2Request saml2Request = new SAML2Request();
@@ -121,29 +121,20 @@
log.trace("SAMLRequest=" + new String(samlBytes));
is = new ByteArrayInputStream(samlBytes);
}
-
- try
- {
- return saml2Request.getRequestType(is);
- }
- catch (JAXBException e)
- {
- throw new ParsingException(e);
- }
- catch (SAXException e)
- {
- throw new ParsingException(e);
- }
+ return saml2Request.getRequestType(is);
}
- public ResponseType getResponse( String assertionConsumerURL,
+ public Document getResponse( String assertionConsumerURL,
Principal userPrincipal,
List<String> roles,
String identityURL,
- long assertionValidity)
+ long assertionValidity,
+ boolean supportSignature)
throws ConfigurationException, IssueInstantMissingException
{
+ Document samlResponseDocument = null;
+
log.trace("AssertionConsumerURL=" + assertionConsumerURL +
"::assertion validity=" + assertionValidity);
ResponseType responseType = null;
@@ -192,8 +183,31 @@
}
log.trace("Response="+sw.toString());
}
-
- return responseType;
+
+ log.trace("Support Sig=" + supportSignature + " ::Post
Profile?=" + hasSAMLRequestInPostProfile());
+ if(supportSignature && hasSAMLRequestInPostProfile())
+ {
+ try
+ {
+ SAML2Signature saml2Signature = new SAML2Signature();
+ samlResponseDocument = saml2Signature.sign(responseType,
keyManager.getSigningKeyPair());
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+ }
+ else
+ try
+ {
+ samlResponseDocument = saml2Response.convert(responseType);
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+
+ return samlResponseDocument;
}
@@ -239,48 +253,47 @@
/**
* Send a response
- * @param responseType
+ * @param responseDoc
* @param relayState
* @param response
* @throws IOException
* @throws GeneralSecurityException
*/
- public void send(ResponseType responseType, String relayState,
+ public void send(Document responseDoc, String destination,
+ String relayState,
Response response,
boolean supportSignature,
PrivateKey signingKey) throws IOException, GeneralSecurityException
{
- if(responseType == null)
- throw new IllegalArgumentException("reponseType is null");
+ if(responseDoc == null)
+ throw new IllegalArgumentException("responseType is null");
- SAML2Response saml2Response = new SAML2Response();
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ byte[] responseBytes = null;
try
{
- saml2Response.marshall(responseType, baos);
- }
- catch (SAXException e1)
+ responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+ }
+ catch (TransformerFactoryConfigurationError e)
{
- log.trace("Parsing Exception in sending response:",e1);
- throw new ParsingException("Parsing Exception in sending response:" ,
e1);
+ log.trace(e);
}
- catch (JAXBException e1)
+ catch (TransformerException e)
{
- log.trace("Parsing Exception in sending response:",e1);
- throw new ParsingException("Parsing Exception in sending response:"
,e1);
+ log.trace(e);
}
if(redirectProfile)
{
- String urlEncodedResponse =
RedirectBindingUtil.deflateBase64URLEncode(baos.toByteArray());
-
- String destination = responseType.getDestination();
+ String urlEncodedResponse =
RedirectBindingUtil.deflateBase64URLEncode(responseBytes);
+
log.trace("IDP:Destination=" + destination);
if(relayState != null && relayState.length() > 0)
relayState = RedirectBindingUtil.urlEncode(relayState);
- String finalDest = destination + getDestination(urlEncodedResponse,
relayState);
+ String finalDest = destination + getDestination(urlEncodedResponse, relayState,
+ supportSignature);
+ log.trace("Redirecting to="+ finalDest);
HTTPRedirectUtil.sendRedirectForResponder(finalDest, response);
}
else
@@ -292,17 +305,11 @@
* created as part of the HTTP/POST binding
*/
response.recycle();
- String samlResponse = PostBindingUtil.base64Encode(baos.toString());
+
+ String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
- if(supportSignature)
- {
- //SigAlg
- String algo = signingKey.getAlgorithm();
- String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
-
- sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
- }
- PostBindingUtil.sendPost(new
DestinationInfoHolder(responseType.getDestination(),
+
+ PostBindingUtil.sendPost(new DestinationInfoHolder(destination,
samlResponse, relayState), response, false);
}
}
@@ -314,14 +321,32 @@
* @param urlEncodedRelayState
* @return
*/
- public String getDestination(String urlEncodedResponse, String urlEncodedRelayState)
+ public String getDestination(String urlEncodedResponse, String urlEncodedRelayState,
+ boolean supportSignature)
{
+ StringBuilder sb = new StringBuilder();
+ sb.append("?");
+
if(redirectProfile)
{
- StringBuilder sb = new StringBuilder();
- sb.append("?SAMLResponse=").append(urlEncodedResponse);
- if(urlEncodedRelayState != null && urlEncodedRelayState.length() >
0)
- sb.append("&RelayState=").append(urlEncodedRelayState);
+ if(supportSignature)
+ {
+ try
+ {
+
sb.append(RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(urlEncodedResponse,
+ urlEncodedRelayState, keyManager.getSigningKey()));
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+ }
+ else
+ {
+ sb.append("?SAMLResponse=").append(urlEncodedResponse);
+ if(urlEncodedRelayState != null && urlEncodedRelayState.length() >
0)
+ sb.append("&RelayState=").append(urlEncodedRelayState);
+ }
return sb.toString();
}
@@ -333,12 +358,14 @@
* @param responseURL
* @param status
* @param identityURL
+ * @param supportSignature
* @return
* @throws ConfigurationException
*/
- public ResponseType getErrorResponse(String responseURL, String status,
- String identityURL)
+ public Document getErrorResponse(String responseURL, String status,
+ String identityURL, boolean supportSignature)
{
+ Document samlResponse = null;
ResponseType responseType = null;
SAML2Response saml2Response = new SAML2Response();
@@ -365,7 +392,7 @@
responseType = saml2Response.createResponseType();
}
- log.debug("ResponseType = ");
+ log.debug("Error_ResponseType = ");
//Lets see how the response looks like
if(log.isTraceEnabled())
{
@@ -385,6 +412,34 @@
log.trace("Response="+sw.toString());
}
- return responseType;
+ if(supportSignature)
+ {
+ try
+ {
+ //SigAlg
+ String algo = keyManager.getSigningKey().getAlgorithm();
+ String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
+
+ sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
+
+ SAML2Signature ss = new SAML2Signature();
+ samlResponse = ss.sign(responseType, keyManager.getSigningKeyPair());
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+ }
+ else
+ try
+ {
+ samlResponse = saml2Response.convert(responseType);
+ }
+ catch (Exception e)
+ {
+ log.trace(e);
+ }
+
+ return samlResponse;
}
}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -41,6 +41,7 @@
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.bindings.config.TrustType;
@@ -234,7 +235,14 @@
SAML2Response saml2Response = new SAML2Response();
ResponseType responseType = saml2Response.getResponseType(is);
-
+
+ SAMLDocumentHolder samlDocumentHolder = saml2Response.getSamlDocumentHolder();
+
+ boolean validSignature = this.verifySignature(samlDocumentHolder);
+
+ if(validSignature == false)
+ throw new IssuerNotTrustedException("Signature in saml document is
invalid");
+
this.isTrusted(responseType.getIssuer().getValue());
List<Object> assertions =
responseType.getAssertionOrEncryptedAssertion();
@@ -252,4 +260,10 @@
}
return userPrincipal;
}
+
+ protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
+ {
+ //this authenticator does not deal with signatures.
+ return true;
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -23,19 +23,31 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.security.GeneralSecurityException;
+import java.security.PublicKey;
import javax.xml.bind.JAXBException;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignatureException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
+import org.jboss.identity.federation.api.util.XMLSignatureUtil;
import org.jboss.identity.federation.bindings.config.KeyProviderType;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyConfigurationException;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
+import org.jboss.identity.federation.bindings.interfaces.TrustKeyProcessingException;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
+import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
@@ -102,4 +114,52 @@
PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage,
relayState),
response, true);
}
+
+ @Override
+ protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
+ {
+ Document samlResponse = samlDocumentHolder.getSamlDocument();
+ ResponseType response = (ResponseType) samlDocumentHolder.getSamlObject();
+
+ String issuerID = response.getIssuer().getValue();
+
+ if(issuerID == null)
+ throw new IssuerNotTrustedException("Issue missing");
+
+ URL issuerURL;
+ try
+ {
+ issuerURL = new URL(issuerID);
+ }
+ catch (MalformedURLException e1)
+ {
+ throw new IssuerNotTrustedException(e1);
+ }
+
+ try
+ {
+ PublicKey publicKey = keyManager.getValidatingKey(issuerURL.getHost());
+ log.trace("Going to verify signature in the saml response from IDP");
+ boolean sigResult = XMLSignatureUtil.validate(samlResponse, publicKey);
+ log.trace("Signature verification="+sigResult);
+ return sigResult;
+ }
+ catch (TrustKeyConfigurationException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (TrustKeyProcessingException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (MarshalException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ catch (XMLSignatureException e)
+ {
+ log.error("Unable to verify signature",e);
+ }
+ return false;
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
---
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -30,6 +30,7 @@
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactoryConfigurationError;
+import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
@@ -69,9 +70,11 @@
public void start() throws LifecycleException
{
super.start();
+ Context context = (Context) getContainer();
+
KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
if(keyProvider == null)
- throw new LifecycleException("KeyProvider is null");
+ throw new LifecycleException("KeyProvider is null for context="+
context.getName());
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
Added:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java
(rev 0)
+++
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/common/SAMLDocumentHolder.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -0,0 +1,74 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.identity.federation.api.saml.v2.common;
+
+import org.w3c.dom.Document;
+
+/**
+ * A Holder class that can store
+ * the SAML object as well as the corresponding
+ * DOM object.
+ * It is thread safe because each thread
+ * can have only one instance of this class
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Aug 13, 2009
+ */
+public class SAMLDocumentHolder
+{
+ private Object samlObject;
+ private Document samlDocument;
+
+ public SAMLDocumentHolder(Object samlObject)
+ {
+ this.samlObject = samlObject;
+ }
+
+ public SAMLDocumentHolder(Document samlDocument)
+ {
+ this.samlDocument = samlDocument;
+ }
+
+ public SAMLDocumentHolder(Object samlObject, Document samlDocument)
+ {
+ this.samlObject = samlObject;
+ this.samlDocument = samlDocument;
+ }
+ public Object getSamlObject()
+ {
+ return samlObject;
+ }
+
+ public void setSamlObject(Object samlObject)
+ {
+ this.samlObject = samlObject;
+ }
+
+ public Document getSamlDocument()
+ {
+ return samlDocument;
+ }
+
+ public void setSamlDocument(Document samlDocument)
+ {
+ this.samlDocument = samlDocument;
+ }
+}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/request/SAML2Request.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -34,13 +34,16 @@
import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.ParserConfigurationException;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.constants.JBossIdentityFederationConstants;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
import
org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLAuthnRequestFactory;
import org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLBaseFactory;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.JAXBElementMappingUtil;
import org.jboss.identity.federation.core.saml.v2.util.XMLTimeUtil;
+import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.saml.v2.assertion.NameIDType;
import
org.jboss.identity.federation.saml.v2.profiles.xacml.protocol.XACMLAuthzDecisionQueryType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
@@ -58,6 +61,8 @@
*/
public class SAML2Request
{
+ private SAMLDocumentHolder samlDocumentHolder = null;
+
/**
* Create an authentication request
* @param id
@@ -101,7 +106,7 @@
*/
public Binder<Node> getBinder() throws JAXBException
{
- JAXBContext jaxb = JAXBContext.newInstance(RequestAbstractType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(RequestAbstractType.class);
return jaxb.createBinder();
}
@@ -111,19 +116,43 @@
* @return
* @throws SAXException
* @throws JAXBException
+ * @throws IOException
+ * @throws
* @throws IllegalArgumentException inputstream is null
*/
@SuppressWarnings("unchecked")
- public RequestAbstractType getRequestType(InputStream is) throws JAXBException,
SAXException
+ public RequestAbstractType getRequestType(InputStream is) throws ParsingException,
IOException
{
if(is == null)
- throw new IllegalStateException("InputStream is null");
- String key = JBossIdentityFederationConstants.JAXB_SCHEMA_VALIDATION;
- boolean validate = Boolean.parseBoolean(SecurityActions.getSystemProperty(key,
"false"));
+ throw new IllegalStateException("InputStream is null");
- Unmarshaller un =
JBossSAMLAuthnRequestFactory.getValidatingUnmarshaller(validate);
- JAXBElement<RequestAbstractType> jaxbAuthnRequestType =
(JAXBElement<RequestAbstractType>) un.unmarshal(is);
- return jaxbAuthnRequestType.getValue();
+ Document samlDocument = null;
+ //First parse the Document
+ try
+ {
+ samlDocument = DocumentUtil.getDocument(is);
+ }
+ catch (ParserConfigurationException e)
+ {
+ throw new ParsingException(e);
+ }
+ catch (SAXException e)
+ {
+ throw new ParsingException(e);
+ }
+
+ try
+ {
+ Binder<Node> binder = getBinder();
+ JAXBElement<RequestAbstractType> jaxbAuthnRequestType =
(JAXBElement<RequestAbstractType>) binder.unmarshal(samlDocument);
+ RequestAbstractType requestType = jaxbAuthnRequestType.getValue();
+ samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
+ return requestType;
+ }
+ catch (JAXBException e)
+ {
+ throw new ParsingException(e);
+ }
}
/**
@@ -147,7 +176,17 @@
return jaxbAuthnRequestType.getValue();
}
+
/**
+ * Get the parsed {@code SAMLDocumentHolder}
+ * @return
+ */
+ public SAMLDocumentHolder getSamlDocumentHolder()
+ {
+ return samlDocumentHolder;
+ }
+
+ /**
* Create a Logout Request
* @param issuer
* @return
@@ -199,7 +238,7 @@
String xsProto =
"org.jboss.identity.federation.saml.v2.profiles.xacml.protocol";
String path = samlPath + ":" + xacmlPath + ":" + xsAssert +
":" + xsProto;
- JAXBContext jaxb = JAXBContext.newInstance(path);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(path);
Unmarshaller un = jaxb.createUnmarshaller();
JAXBElement<RequestAbstractType> jaxbRequestType =
(JAXBElement<RequestAbstractType>) un.unmarshal(is);
@@ -222,7 +261,7 @@
public Document convert(RequestAbstractType rat)
throws SAXException, IOException, JAXBException, ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(RequestAbstractType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(RequestAbstractType.class);
Binder<Node> binder = jaxb.createBinder();
Document doc = DocumentUtil.createDocument();
@@ -239,7 +278,7 @@
*/
public Document convert(ResponseType responseType) throws JAXBException,
ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(ResponseType.class);
Binder<Node> binder = jaxb.createBinder();
Document doc = DocumentUtil.createDocument();
Modified:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -35,12 +35,11 @@
import javax.xml.bind.Unmarshaller;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.Source;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.constants.JBossIdentityFederationConstants;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
-import org.jboss.identity.federation.core.exceptions.ProcessingException;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import
org.jboss.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import
org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
@@ -53,6 +52,7 @@
import org.jboss.identity.federation.core.saml.v2.util.AssertionUtil;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.JAXBElementMappingUtil;
+import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.saml.v2.assertion.AssertionType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.jboss.identity.federation.saml.v2.assertion.AttributeType;
@@ -72,8 +72,8 @@
* @since Jan 5, 2009
*/
public class SAML2Response
-{
- private Document responseDocument = null;
+{
+ private SAMLDocumentHolder samlDocumentHolder = null;
/**
* Create an assertion
@@ -206,6 +206,15 @@
JAXBElement<AssertionType> jaxb = (JAXBElement<AssertionType>)
un.unmarshal(is);
return jaxb.getValue();
}
+
+ /**
+ * Get the parsed {@code SAMLDocumentHolder}
+ * @return
+ */
+ public SAMLDocumentHolder getSamlDocumentHolder()
+ {
+ return samlDocumentHolder;
+ }
/**
* Read a ResponseType from an input stream
@@ -220,10 +229,11 @@
if(is == null)
throw new IllegalArgumentException("inputstream is null");
+ Document samlResponseDocument = null;
//Read the DOM
try
{
- responseDocument = DocumentUtil.getDocument(is);
+ samlResponseDocument = DocumentUtil.getDocument(is);
}
catch (ParserConfigurationException e)
{
@@ -237,38 +247,22 @@
{
throw new ParsingException(e);
}
-
- Source domSource = DocumentUtil.getXMLSource(responseDocument);
-
- Unmarshaller un;
try
{
- un = JBossSAMLAuthnResponseFactory.getUnmarshaller();
- JAXBElement<ResponseType> jaxbAuthnRequestType =
(JAXBElement<ResponseType>) un.unmarshal(domSource);
- return jaxbAuthnRequestType.getValue();
+ Binder<Node> binder = getBinder();
+ JAXBElement<ResponseType> jaxbResponseType =
(JAXBElement<ResponseType>) binder.unmarshal(samlResponseDocument);
+ ResponseType responseType = jaxbResponseType.getValue();
+ samlDocumentHolder = new SAMLDocumentHolder(responseType,
samlResponseDocument);
+ return responseType;
}
catch (JAXBException e)
{
throw new ParsingException(e);
- }
- catch (SAXException e)
- {
- throw new ParsingException(e);
}
}
- /**
- * Return the Parsed Document
- * @return
- * @throws ProcessingException if there is no parsed DOM
- */
- public Document getResponseDocument() throws ProcessingException
- {
- if(responseDocument == null)
- throw new ProcessingException("Response Document is null");
- return responseDocument;
- }
+
/**
* Convert an EncryptedElement into a Document
* @param encryptedElementType
@@ -279,7 +273,7 @@
public Document convert(EncryptedElementType encryptedElementType)
throws JAXBException, ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(EncryptedElementType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(EncryptedElementType.class);
Binder<Node> binder = jaxb.createBinder();
Document doc = DocumentUtil.createDocument();
@@ -294,7 +288,7 @@
*/
public Binder<Node> getBinder() throws JAXBException
{
- JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(ResponseType.class);
return jaxb.createBinder();
}
@@ -307,10 +301,10 @@
*/
public Document convert(ResponseType responseType) throws JAXBException,
ParserConfigurationException
{
- JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class);
+ JAXBContext jaxb = JAXBUtil.getJAXBContext(ResponseType.class);
Binder<Node> binder = jaxb.createBinder();
- responseDocument = DocumentUtil.createDocument();
+ Document responseDocument = DocumentUtil.createDocument();
binder.marshal(JAXBElementMappingUtil.get(responseType), responseDocument);
return responseDocument;
}
Modified:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/StandardRequestHandler.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -76,6 +76,10 @@
public RequestSecurityTokenResponse issue(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM
Document");
+
SecurityTokenProvider provider = null;
// first try to obtain the security token provider using the applies-to contents.
@@ -173,6 +177,10 @@
public RequestSecurityTokenResponse renew(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM
Document");
+
// TODO: implement renew logic.
throw new UnsupportedOperationException();
}
@@ -187,6 +195,10 @@
public RequestSecurityTokenResponse validate(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM
Document");
+
if (request.getValidateTarget() == null)
throw new WSTrustException("Unable to validate token: validate target is
null");
@@ -205,7 +217,8 @@
KeyPair keyPair = this.configuration.getSTSKeyPair();
try
{
- Element tokenElement = (Element) request.getValidateTarget().getAny();
+ //Element tokenElement = (Element) request.getValidateTarget().getAny();
+ Element tokenElement = request.getValidateTargetElement();
Document tokenDocument = DocumentUtil.createDocument();
tokenDocument.appendChild(tokenDocument.importNode(tokenElement, true));
if (!XMLSignatureUtil.validate(tokenDocument, keyPair.getPublic()))
@@ -251,8 +264,11 @@
public RequestSecurityTokenResponse cancel(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
+ Document rstDocument = request.getRSTDocument();
+ if( rstDocument == null)
+ throw new IllegalArgumentException("Request does not contain the DOM
Document");
+
// TODO: implement cancel logic.
throw new UnsupportedOperationException();
}
-
-}
+}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustJAXBFactory.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -21,6 +21,7 @@
*/
package org.jboss.identity.federation.api.wstrust;
+import javax.xml.bind.Binder;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
@@ -28,6 +29,8 @@
import javax.xml.transform.Source;
import javax.xml.transform.dom.DOMSource;
+import org.jboss.identity.federation.api.saml.v2.common.SAMLDocumentHolder;
+import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.util.JAXBUtil;
import org.jboss.identity.federation.core.wstrust.BaseRequestSecurityToken;
@@ -57,8 +60,12 @@
private Marshaller marshaller;
private Unmarshaller unmarshaller;
+
+ private Binder<Node> binder;
private final ObjectFactory objectFactory;
+
+ private ThreadLocal<SAMLDocumentHolder> holders = new
ThreadLocal<SAMLDocumentHolder>();
/**
* <p>
@@ -71,6 +78,7 @@
{
this.marshaller = JAXBUtil.getMarshaller(this.getPackages());
this.unmarshaller = JAXBUtil.getUnmarshaller(this.getPackages());
+ this.binder = JAXBUtil.getJAXBContext(this.getPackages()).createBinder();
this.objectFactory = new ObjectFactory();
}
catch (JAXBException e)
@@ -112,14 +120,32 @@
* @return the constructed {@code BaseRequestSecurityToken} instance. It will be an
instance of {@code
* RequestSecurityToken} the message contains a single token request, and an
instance of {@code
* RequestSecurityTokenCollection} if multiples requests are being made in the
same message.
+ * @throws ParsingException
*/
- public BaseRequestSecurityToken parseRequestSecurityToken(Source request)
+ @SuppressWarnings("unchecked")
+ public BaseRequestSecurityToken parseRequestSecurityToken(Source request) throws
ParsingException
{
// if the request contains a validate, cancel, or renew target, we must preserve it
from JAXB unmarshalling.
Node documentNode = ((DOMSource) request).getNode();
Document document = documentNode instanceof Document ? (Document) documentNode :
documentNode.getOwnerDocument();
- Element targetElement = this.getValidateOrRenewOrCancelTarget(document);
+
+ JAXBElement<RequestSecurityTokenType> jaxbRST;
+ try
+ {
+ jaxbRST = (JAXBElement<RequestSecurityTokenType>)
binder.unmarshal(document);
+ RequestSecurityTokenType rstt = jaxbRST.getValue();
+ holders.set(new SAMLDocumentHolder(rstt, document));
+ return new RequestSecurityToken(rstt);
+ }
+ catch (JAXBException e)
+ {
+ throw new ParsingException(e);
+ }
+
+
+ /*Element targetElement = this.getValidateOrRenewOrCancelTarget(document);
+
try
{
Object object = this.unmarshaller.unmarshal(request);
@@ -151,7 +177,7 @@
catch (Exception e)
{
throw new RuntimeException("Failed to unmarshall security token
request", e);
- }
+ }*/
}
/**
@@ -308,6 +334,15 @@
}
return DocumentUtil.getXMLSource(result);
}
+
+ /**
+ * Return the {@code SAMLDocumentHolder} for the thread
+ * @return
+ */
+ public SAMLDocumentHolder getSAMLDocumentHolderOnThread()
+ {
+ return holders.get();
+ }
/**
* <p>
@@ -342,7 +377,7 @@
* the {@code Document} upon which the search is to be made.
* @return an {@code Element} representing the validate, renew, or cancel target.
*/
- private Element getValidateOrRenewOrCancelTarget(Document document)
+ /*private Element getValidateOrRenewOrCancelTarget(Document document)
{
Node target = this.findNodeByNameNS(document, "ValidateTarget",
WSTrustConstants.BASE_NAMESPACE);
if (target != null)
@@ -354,5 +389,5 @@
if (target != null)
return (Element) target.getFirstChild();
return null;
- }
+ }*/
}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/util/JAXBUtil.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -22,6 +22,7 @@
package org.jboss.identity.federation.core.util;
import java.net.URL;
+import java.util.HashMap;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
@@ -46,7 +47,14 @@
public static final String W3C_XML_SCHEMA_NS_URI =
"http://www.w3.org/2001/XMLSchema";
-
+ private static HashMap<String,JAXBContext> jaxbContextHash = new
HashMap<String, JAXBContext>();
+
+ static
+ {
+ //Useful on Sun VMs. Harmless on other VMs.
+
SecurityActions.setSystemProperty("com.sun.xml.bind.v2.runtime.JAXBContextImpl.fastBoot",
"true");
+ }
+
/**
* Get the JAXB Marshaller
* @param pkgName The package name for the jaxb context
@@ -78,7 +86,7 @@
if(pkgName == null)
throw new IllegalArgumentException("pkgName is null");
- JAXBContext jc = JAXBContext.newInstance(pkgName);
+ JAXBContext jc = getJAXBContext(pkgName);
Marshaller marshaller = jc.createMarshaller();
marshaller.setProperty(Marshaller.JAXB_ENCODING, "UTF-8");
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.FALSE); //Breaks
signatures
@@ -95,7 +103,7 @@
{
if(pkgName == null)
throw new IllegalArgumentException("pkgName is null");
- JAXBContext jc = JAXBContext.newInstance(pkgName);
+ JAXBContext jc = getJAXBContext(pkgName);
return jc.createUnmarshaller();
}
@@ -170,4 +178,28 @@
Schema schema = scFact.newSchema(schemaURL);
return schema;
}
+
+ public static JAXBContext getJAXBContext(String path) throws JAXBException
+ {
+ JAXBContext jx = jaxbContextHash.get(path);
+ if(jx == null)
+ {
+ jx = JAXBContext.newInstance(path);
+ jaxbContextHash.put(path, jx);
+ }
+ return jx;
+ }
+
+ public static JAXBContext getJAXBContext(Class<?> clazz) throws JAXBException
+ {
+ String clazzName = clazz.getName();
+
+ JAXBContext jx = jaxbContextHash.get(clazzName);
+ if(jx == null)
+ {
+ jx = JAXBContext.newInstance(clazz);
+ jaxbContextHash.put(clazzName, jx);
+ }
+ return jx;
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java 2009-08-11
21:17:11 UTC (rev 692)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/RequestSecurityToken.java 2009-08-14
00:20:17 UTC (rev 693)
@@ -49,6 +49,9 @@
import org.jboss.identity.federation.ws.trust.RequestSecurityTokenType;
import org.jboss.identity.federation.ws.trust.UseKeyType;
import org.jboss.identity.federation.ws.trust.ValidateTargetType;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
/**
* <p>
@@ -160,6 +163,8 @@
private final ObjectFactory factory = new ObjectFactory();
+ private Document rstDocument;
+
/**
* <p>
* Creates an instance of {@code RequestSecurityToken}.
@@ -260,6 +265,17 @@
}
}
}
+
+ /**
+ * Creates an instance of {@code RequestSecurityTokenType} and {@code Document}
+ * @param delegate
+ * @param rstDocument
+ */
+ public RequestSecurityToken(RequestSecurityTokenType delegate, Document rstDocument)
+ {
+ this(delegate);
+ this.rstDocument = rstDocument;
+ }
/**
* <p>
@@ -1034,6 +1050,26 @@
{
return this.validateTarget;
}
+
+ /**
+ * Return the element in the document that represents
+ * the validate type
+ * @return
+ */
+ public Element getValidateTargetElement()
+ {
+ if(rstDocument == null)
+ throw new IllegalStateException("RST Document is null");
+
+ String ns = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
+ String localPart = "ValidateTarget";
+
+ NodeList nodeList = rstDocument.getElementsByTagNameNS(ns,localPart);
+ if(nodeList != null && nodeList.getLength() > 0)
+ return (Element) nodeList.item(0);
+ else
+ return null;
+ }
/**
* <p>
@@ -1086,4 +1122,18 @@
{
return this.delegate;
}
-}
+
+ /**
+ * Get the {@code Document} document representing the request
+ * @return
+ */
+ public Document getRSTDocument()
+ {
+ return this.rstDocument;
+ }
+
+ public void setRSTDocument(Document rstDocument)
+ {
+ this.rstDocument = rstDocument;
+ }
+}
\ No newline at end of file