March 2011 - picketlink-commits - Jboss List Archives

Picketlink SVN: r819 - federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 18:29:20 -0400 (Tue, 15 Mar 2011) New Revision: 819 Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java Log: consider trim Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java 2011-03-15 22:04:25 UTC (rev 818) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java 2011-03-15 22:29:20 UTC (rev 819) @@ -41,7 +41,7 @@ */ public static boolean isNotNull(String str) { - return str != null && !"".equals(str); + return str != null && !"".equals(str.trim()); } /**

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r818 - in trust/trunk: jbossws and 1 other directories.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 18:04:25 -0400 (Tue, 15 Mar 2011) New Revision: 818 Modified: trust/trunk/jbossws/pom.xml trust/trunk/parent/pom.xml trust/trunk/pom.xml Log: bump version and update deps Modified: trust/trunk/jbossws/pom.xml =================================================================== --- trust/trunk/jbossws/pom.xml 2011-03-15 19:37:38 UTC (rev 817) +++ trust/trunk/jbossws/pom.xml 2011-03-15 22:04:25 UTC (rev 818) @@ -2,7 +2,7 @@ <parent> <groupId>org.picketlink</groupId> <artifactId>picketlink-trust-parent</artifactId> - <version>1.0.0.CR4</version> + <version>2.0.0-SNAPSHOT</version> <relativePath>../parent</relativePath> </parent> <modelVersion>4.0.0</modelVersion> @@ -47,7 +47,7 @@ <dependency> <groupId>org.jboss.ws</groupId> <artifactId>jbossws-common</artifactId> - <version>1.4.0.CR1</version> + <version>1.4.1.GA</version> </dependency> <dependency> <groupId>org.picketlink</groupId> @@ -72,13 +72,18 @@ <dependency> <groupId>org.picketbox</groupId> <artifactId>jboss-security-spi</artifactId> - <version>3.0.0.CR2</version> + <version>3.0.0.Final</version> </dependency> <dependency> <groupId>org.picketbox</groupId> <artifactId>jbosssx</artifactId> - <version>3.0.0.CR2</version> + <version>3.0.0.Final</version> </dependency> + <dependency> + <groupId>org.jboss.logging</groupId> + <artifactId>jboss-logging-spi</artifactId> + <version>2.1.0.GA</version> + </dependency> </dependencies> <reporting> Modified: trust/trunk/parent/pom.xml =================================================================== --- trust/trunk/parent/pom.xml 2011-03-15 19:37:38 UTC (rev 817) +++ trust/trunk/parent/pom.xml 2011-03-15 22:04:25 UTC (rev 818) @@ -8,7 +8,7 @@ <groupId>org.picketlink</groupId> <artifactId>picketlink-trust-parent</artifactId> <packaging>pom</packaging> - <version>1.0.0.CR4</version> + <version>2.0.0-SNAPSHOT</version> <name>PicketLink Trust - Parent</name> <url>http://labs.jboss.org/portal/picketlink/</url> <description>PicketLink Trust integrates PicketLink with external projects</description> Modified: trust/trunk/pom.xml =================================================================== --- trust/trunk/pom.xml 2011-03-15 19:37:38 UTC (rev 817) +++ trust/trunk/pom.xml 2011-03-15 22:04:25 UTC (rev 818) @@ -2,7 +2,7 @@ <parent> <groupId>org.picketlink</groupId> <artifactId>picketlink-trust-parent</artifactId> - <version>1.0.0.CR4</version> + <version>2.0.0-SNAPSHOT</version> <relativePath>parent</relativePath> </parent> <modelVersion>4.0.0</modelVersion>

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r817 - picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/configuration.

by picketlink-commits＠lists.jboss.org

Author: matthew.hayes Date: 2011-03-15 15:37:38 -0400 (Tue, 15 Mar 2011) New Revision: 817 Modified: picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/configuration/SamlEndpoint.java Log: Added check for null before using StringUtil.getSystemPropertyAsString in constructor Modified: picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/configuration/SamlEndpoint.java =================================================================== --- picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/configuration/SamlEndpoint.java 2011-03-15 19:15:38 UTC (rev 816) +++ picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/configuration/SamlEndpoint.java 2011-03-15 19:37:38 UTC (rev 817) @@ -2,7 +2,7 @@ * JBoss, Home of Professional Open Source. * Copyright 2008, Red Hat Middleware LLC, and individual contributors * as indicated by the @author tags. See the copyright.txt file in the -* distribution for a full listing of individual contributors. +* distribution for a full listing of individual contributors. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as @@ -43,7 +43,7 @@ this.service = service; this.binding = binding; this.location = StringUtil.getSystemPropertyAsString( location ); - this.responseLocation = StringUtil.getSystemPropertyAsString( responseLocation ); + this.responseLocation = responseLocation != null ? StringUtil.getSystemPropertyAsString( responseLocation ) : responseLocation; } public SamlService getService()

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r816 - in federation/trunk/picketlink-web/src: test/java/org/picketlink/test/identity/federation/web/saml/handlers and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 15:15:38 -0400 (Tue, 15 Mar 2011) New Revision: 816 Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java Log: PLFED-159: saml attribute handler on sp side should populate the http session with idp passed attributes Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java 2011-03-15 19:09:44 UTC (rev 815) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java 2011-03-15 19:15:38 UTC (rev 816) @@ -161,11 +161,11 @@ for (ASTChoiceType attrChoice : attrs) { AttributeType attr = attrChoice.getAttribute(); - Map<String, Object> attrMap = (Map<String, Object>) session + Map<String, List<Object>> attrMap = (Map<String, List<Object>>) session .getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP); if (attrMap == null) { - attrMap = new HashMap<String, Object>(); + attrMap = new HashMap<String, List<Object>>(); session.setAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP, attrMap); } attrMap.put(attr.getFriendlyName(), attr.getAttributeValue()); Modified: federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java =================================================================== --- federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java 2011-03-15 19:09:44 UTC (rev 815) +++ federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java 2011-03-15 19:15:38 UTC (rev 816) @@ -167,10 +167,10 @@ request.addOption(GeneralConstants.ASSERTION, assertion); handler.handleStatusResponseType(request, response); - Map<String, Object> sessionMap = (Map<String, Object>) session + Map<String, List<Object>> sessionMap = (Map<String, List<Object>>) session .getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP); assertNotNull(sessionMap); - List<Object> values = (List<Object>) sessionMap.get("testKey"); + List<Object> values = sessionMap.get("testKey"); assertEquals("hello", values.get(0)); }

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r815 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants and 2 other directories.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 15:09:44 -0400 (Tue, 15 Mar 2011) New Revision: 815 Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java Log: PLFED-159: saml attribute handler on sp side should populate the http session with idp passed attributes Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java 2011-03-15 17:22:40 UTC (rev 814) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java 2011-03-15 19:09:44 UTC (rev 815) @@ -124,7 +124,11 @@ att.setFriendlyName(key); } else - throw new RuntimeException("Unknown:" + key); + { + att = new AttributeType(key); + att.setFriendlyName(key); + att.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_URI.get()); + } att.addAttributeValue(value); attrStatement.addAttribute(new ASTChoiceType(att)); Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-03-15 17:22:40 UTC (rev 814) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-03-15 19:09:44 UTC (rev 815) @@ -88,6 +88,8 @@ String SIGN_OUTGOING_MESSAGES = "SIGN_OUTGOING_MESSAGES"; + String SESSION_ATTRIBUTE_MAP = "SESSION_ATTRIBUTE_MAP"; + String USERNAME_FIELD = "JBID_USERNAME"; String PASS_FIELD = "JBID_PASSWORD"; Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java 2011-03-15 17:22:40 UTC (rev 814) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AttributeHandler.java 2011-03-15 19:09:44 UTC (rev 815) @@ -20,12 +20,13 @@ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ package org.picketlink.identity.federation.web.handlers.saml2; - import java.security.Principal; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Set; import javax.servlet.http.HttpSession; @@ -38,7 +39,12 @@ import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChainConfig; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerConfig; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; -import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.StatementAbstractType; import org.picketlink.identity.federation.newmodel.saml.v2.protocol.LogoutRequestType; import org.picketlink.identity.federation.web.constants.GeneralConstants; import org.picketlink.identity.federation.web.core.HTTPContext; @@ -49,24 +55,26 @@ * @since Oct 12, 2009 */ public class SAML2AttributeHandler extends BaseSAML2Handler -{ +{ private static Logger log = Logger.getLogger(SAML2AttributeHandler.class); - private boolean trace = log.isTraceEnabled(); - - protected AttributeManager attribManager = new EmptyAttributeManager(); + + private final boolean trace = log.isTraceEnabled(); + + protected AttributeManager attribManager = new EmptyAttributeManager(); + protected List<String> attributeKeys = new ArrayList<String>(); - + @Override public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException { super.initChainConfig(handlerChainConfig); Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION); - if(config instanceof IDPType) + if (config instanceof IDPType) { IDPType idpType = (IDPType) config; String attribStr = idpType.getAttributeManager(); insantiateAttributeManager(attribStr); - } + } } @SuppressWarnings("unchecked") @@ -74,11 +82,11 @@ public void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException { super.initHandlerConfig(handlerConfig); - + String attribStr = (String) this.handlerConfig.getParameter(GeneralConstants.ATTIBUTE_MANAGER); this.insantiateAttributeManager(attribStr); List<String> ak = (List<String>) this.handlerConfig.getParameter(GeneralConstants.ATTRIBUTE_KEYS); - if(ak != null) + if (ak != null) this.attributeKeys.addAll(ak); } @@ -86,42 +94,83 @@ public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException { //Do not handle log out request interaction - if(request.getSAML2Object() instanceof LogoutRequestType) - return ; - + if (request.getSAML2Object() instanceof LogoutRequestType) + return; + //only handle IDP side - if(getType() == HANDLER_TYPE.SP) + if (getType() == HANDLER_TYPE.SP) return; - + HTTPContext httpContext = (HTTPContext) request.getContext(); HttpSession session = httpContext.getRequest().getSession(false); - + Principal userPrincipal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID); Map<String, Object> attribs = (Map<String, Object>) session.getAttribute(GeneralConstants.ATTRIBUTES); - if(attribs == null) - { + if (attribs == null) + { attribs = this.attribManager.getAttributes(userPrincipal, attributeKeys); session.setAttribute(GeneralConstants.ATTRIBUTES, attribs); - } - } - - private void insantiateAttributeManager(String attribStr) - throws ConfigurationException + } + } + + @Override + public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) + throws ProcessingException { - if(attribStr != null && !"".equals(attribStr)) + //only handle SP side + if (getType() == HANDLER_TYPE.IDP) + return; + handleIDPResponse(request); + } + + private void insantiateAttributeManager(String attribStr) throws ConfigurationException + { + if (attribStr != null && !"".equals(attribStr)) { ClassLoader tcl = SecurityActions.getContextClassLoader(); try { attribManager = (AttributeManager) tcl.loadClass(attribStr).newInstance(); - if(trace) + if (trace) log.trace("AttributeManager set to " + this.attribManager); } catch (Exception e) { - log.error("Exception initializing attribute manager:",e); - throw new ConfigurationException(); - } - } + log.error("Exception initializing attribute manager:", e); + throw new ConfigurationException(); + } + } } + + @SuppressWarnings("unchecked") + protected void handleIDPResponse(SAML2HandlerRequest request) + { + HTTPContext httpContext = (HTTPContext) request.getContext(); + HttpSession session = httpContext.getRequest().getSession(false); + + AssertionType assertion = (AssertionType) request.getOptions().get(GeneralConstants.ASSERTION); + if (assertion == null) + throw new RuntimeException("Assertion not found in the handler request"); + Set<StatementAbstractType> statements = assertion.getStatements(); + for (StatementAbstractType statement : statements) + { + if (statement instanceof AttributeStatementType) + { + AttributeStatementType attrStat = (AttributeStatementType) statement; + List<ASTChoiceType> attrs = attrStat.getAttributes(); + for (ASTChoiceType attrChoice : attrs) + { + AttributeType attr = attrChoice.getAttribute(); + Map<String, Object> attrMap = (Map<String, Object>) session + .getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP); + if (attrMap == null) + { + attrMap = new HashMap<String, Object>(); + session.setAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP, attrMap); + } + attrMap.put(attr.getFriendlyName(), attr.getAttributeValue()); + } + } + } + } } \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-03-15 17:22:40 UTC (rev 814) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-03-15 19:09:44 UTC (rev 815) @@ -374,6 +374,8 @@ assertion = assertions.get(0).getAssertion(); } + request.addOption(GeneralConstants.ASSERTION, assertion); + Principal userPrincipal = handleSAMLResponse(responseType, response); if (userPrincipal == null) { Modified: federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java =================================================================== --- federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java 2011-03-15 17:22:40 UTC (rev 814) +++ federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java 2011-03-15 19:09:44 UTC (rev 815) @@ -21,16 +21,21 @@ */ package org.picketlink.test.identity.federation.web.saml.handlers; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; + import java.security.Principal; import java.util.HashMap; import java.util.List; import java.util.Map; -import junit.framework.TestCase; - +import org.junit.Test; import org.picketlink.identity.federation.core.config.IDPType; +import org.picketlink.identity.federation.core.config.SPType; import org.picketlink.identity.federation.core.interfaces.AttributeManager; +import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator; import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder; +import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants; import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants; import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder; import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig; @@ -42,6 +47,10 @@ import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerConfig; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil; +import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType; +import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType; import org.picketlink.identity.federation.saml.v2.SAML2Object; import org.picketlink.identity.federation.web.constants.GeneralConstants; import org.picketlink.identity.federation.web.core.HTTPContext; @@ -56,13 +65,14 @@ * @author Anil.Saldhana(a)redhat.com * @since Oct 12, 2009 */ -public class SAML2AttributeHandlerUnitTestCase extends TestCase +public class SAML2AttributeHandlerUnitTestCase { private static String name = "anil"; private static String email = "anil@test"; @SuppressWarnings("unchecked") + @Test public void testAttributes() throws Exception { SAML2AttributeHandler handler = new SAML2AttributeHandler(); @@ -111,6 +121,59 @@ assertEquals(email, attribs.get(X500SAMLProfileConstants.EMAIL.getFriendlyName())); } + @SuppressWarnings("unchecked") + @Test + public void testAttribsOnSP() throws Exception + { + SAML2AttributeHandler handler = new SAML2AttributeHandler(); + + SAML2HandlerChainConfig chainConfig = new DefaultSAML2HandlerChainConfig(); + SAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig(); + + Map<String, Object> chainOptions = new HashMap<String, Object>(); + SPType spType = new SPType(); + chainOptions.put(GeneralConstants.CONFIGURATION, spType); + chainConfig.set(chainOptions); + + //Initialize the handler + handler.initChainConfig(chainConfig); + handler.initHandlerConfig(handlerConfig); + + //Create a Protocol Context + MockHttpSession session = new MockHttpSession(); + MockServletContext servletContext = new MockServletContext(); + MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, "POST"); + MockHttpServletResponse servletResponse = new MockHttpServletResponse(); + HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext); + + SAML2Object saml2Object = new SAML2Object() + { + }; + + SAMLDocumentHolder docHolder = new SAMLDocumentHolder(saml2Object, null); + IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/idp/"); + SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder, + SAML2Handler.HANDLER_TYPE.IDP); + SAML2HandlerResponse response = new DefaultSAML2HandlerResponse(); + + AssertionType assertion = new AssertionType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant(), + JBossSAMLConstants.VERSION_2_0.get()); + + Map<String, Object> myattr = new HashMap<String, Object>(); + myattr.put("testKey", "hello"); + AttributeStatementType attState = StatementUtil.createAttributeStatement(myattr); + assertion.addStatement(attState); + + request.addOption(GeneralConstants.ASSERTION, assertion); + handler.handleStatusResponseType(request, response); + + Map<String, Object> sessionMap = (Map<String, Object>) session + .getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP); + assertNotNull(sessionMap); + List<Object> values = (List<Object>) sessionMap.get("testKey"); + assertEquals("hello", values.get(0)); + } + public static class TestAttributeManager implements AttributeManager { public Map<String, Object> getAttributes(Principal userPrincipal, List<String> attributeKeys)

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r814 - picketlink-seam/trunk/seam-sp.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 13:22:40 -0400 (Tue, 15 Mar 2011) New Revision: 814 Modified: picketlink-seam/trunk/seam-sp/pom.xml Log: fix pom Modified: picketlink-seam/trunk/seam-sp/pom.xml =================================================================== --- picketlink-seam/trunk/seam-sp/pom.xml 2011-03-15 17:22:17 UTC (rev 813) +++ picketlink-seam/trunk/seam-sp/pom.xml 2011-03-15 17:22:40 UTC (rev 814) @@ -11,23 +11,11 @@ <name>Seam Service Provider</name> <dependencies> <dependency> - <groupId>org.jboss</groupId> + <groupId>org.picketlink</groupId> <artifactId>picketlink-seam</artifactId> <version>${project.version}</version> <exclusions> <exclusion> - <groupId>sun-jaxb</groupId> - <artifactId>jaxb-api</artifactId> - </exclusion> - <exclusion> - <groupId>sun-jaxb</groupId> - <artifactId>jaxb-impl</artifactId> - </exclusion> - <exclusion> - <groupId>stax</groupId> - <artifactId>stax-api</artifactId> - </exclusion> - <exclusion> <groupId>apache-log4j</groupId> <artifactId>log4j</artifactId> </exclusion>

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r813 - picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 13:22:17 -0400 (Tue, 15 Mar 2011) New Revision: 813 Modified: picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/SeamSamlPrincipal.java Log: fix attribs Modified: picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/SeamSamlPrincipal.java =================================================================== --- picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/SeamSamlPrincipal.java 2011-03-15 17:14:01 UTC (rev 812) +++ picketlink-seam/trunk/picketlink-seam/src/main/java/org/picketlink/identity/seam/federation/SeamSamlPrincipal.java 2011-03-15 17:22:17 UTC (rev 813) @@ -74,7 +74,7 @@ public void setAttributes(List<AttributeType> attributes) { - this.attributes = attributes; + this.attributes.addAll(attributes); } public String getSessionIndex()

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r812 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets and 1 other directories.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 13:14:01 -0400 (Tue, 15 Mar 2011) New Revision: 812 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java Log: remove unused code Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-03-15 16:39:35 UTC (rev 811) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-03-15 17:14:01 UTC (rev 812) @@ -103,7 +103,6 @@ import org.picketlink.identity.federation.web.util.RedirectBindingUtil; import org.w3c.dom.Document; - /** * Generic Web Browser SSO valve for the IDP * @@ -115,59 +114,60 @@ */ public class IDPWebBrowserSSOValve extends ValveBase implements Lifecycle { - private static Logger log = Logger.getLogger(IDPWebBrowserSSOValve.class); - private boolean trace = log.isTraceEnabled(); - + private static Logger log = Logger.getLogger(IDPWebBrowserSSOValve.class); + + private final boolean trace = log.isTraceEnabled(); + protected IDPType idpConfiguration = null; - + private RoleGenerator roleGenerator = new TomcatRoleGenerator(); private long assertionValidity = 5000; // 5 seconds in miliseconds - + private String identityURL = null; - + private TrustKeyManager keyManager; - + private Boolean ignoreIncomingSignatures = false; private Boolean signOutgoingMessages = true; private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager(); - private List<String> attributeKeys = new ArrayList<String>(); - + + private final List<String> attributeKeys = new ArrayList<String>(); + private transient SAML2HandlerChain chain = null; - + private Context context = null; - - private transient String samlHandlerChainClass = null; - + private transient String samlHandlerChainClass = null; + protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS; - + /** * If the user wants to set a particular {@link IdentityParticipantStack} */ protected String identityParticipantStack = null; - + /** * A Lock for Handler operations in the chain */ - private Lock chainLock = new ReentrantLock(); - + private final Lock chainLock = new ReentrantLock(); + //Set a list of attributes we are interested in separated by comma public void setAttributeList(String attribList) - { - if(attribList != null && !"".equals(attribList)) + { + if (attribList != null && !"".equals(attribList)) { this.attributeKeys.clear(); - StringTokenizer st = new StringTokenizer(attribList,","); - while(st != null && st.hasMoreTokens()) + StringTokenizer st = new StringTokenizer(attribList, ","); + while (st != null && st.hasMoreTokens()) { this.attributeKeys.add(st.nextToken()); } } } - + public Boolean getIgnoreIncomingSignatures() { return ignoreIncomingSignatures; @@ -177,15 +177,15 @@ { this.ignoreIncomingSignatures = ignoreIncomingSignature; } - + /** * IDP should not do any attributes such as generation of roles etc * @param ignoreAttributes */ public void setIgnoreAttributesGeneration(Boolean ignoreAttributes) { - if( ignoreAttributes == Boolean.TRUE ) - this.attribManager = null; + if (ignoreAttributes == Boolean.TRUE) + this.attribManager = null; } public Boolean getSignOutgoingMessages() @@ -197,7 +197,7 @@ { this.signOutgoingMessages = signOutgoingMessages; } - + public void setRoleGenerator(String rgName) { try @@ -208,15 +208,15 @@ catch (Exception e) { throw new RuntimeException(e); - } - } - + } + } + public void setSamlHandlerChainClass(String samlHandlerChainClass) { this.samlHandlerChainClass = samlHandlerChainClass; } - - public void setIdentityParticipantStack( String fqn ) + + public void setIdentityParticipantStack(String fqn) { this.identityParticipantStack = fqn; } @@ -224,99 +224,91 @@ @Override public void invoke(Request request, Response response) throws IOException, ServletException { - String referer = request.getHeader("Referer"); + String referer = request.getHeader("Referer"); String relayState = request.getParameter(GeneralConstants.RELAY_STATE); - if(isNotNull(relayState)) + if (isNotNull(relayState)) relayState = RedirectBindingUtil.urlDecode(relayState); - + String samlRequestMessage = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); String samlResponseMessage = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); String signature = request.getParameter("Signature"); - String sigAlg = request.getParameter("SigAlg"); - - boolean containsSAMLRequestMessage = isNotNull(samlRequestMessage); - boolean containsSAMLResponseMessage = isNotNull(samlResponseMessage); - - Session session = request.getSessionInternal(); - - if(containsSAMLRequestMessage || containsSAMLResponseMessage) + String sigAlg = request.getParameter("SigAlg"); + + boolean containsSAMLRequestMessage = isNotNull(samlRequestMessage); + boolean containsSAMLResponseMessage = isNotNull(samlResponseMessage); + + Session session = request.getSessionInternal(); + + if (containsSAMLRequestMessage || containsSAMLResponseMessage) { - if(trace) log.trace("Storing the SAMLRequest/SAMLResponse and RelayState in session"); - if(isNotNull(samlRequestMessage)) - session.setNote(GeneralConstants.SAML_REQUEST_KEY, samlRequestMessage); - if(isNotNull(samlResponseMessage)) - session.setNote(GeneralConstants.SAML_RESPONSE_KEY, samlResponseMessage); - if(isNotNull(relayState)) + if (trace) + log.trace("Storing the SAMLRequest/SAMLResponse and RelayState in session"); + if (isNotNull(samlRequestMessage)) + session.setNote(GeneralConstants.SAML_REQUEST_KEY, samlRequestMessage); + if (isNotNull(samlResponseMessage)) + session.setNote(GeneralConstants.SAML_RESPONSE_KEY, samlResponseMessage); + if (isNotNull(relayState)) session.setNote(GeneralConstants.RELAY_STATE, relayState.trim()); - if(isNotNull(signature)) + if (isNotNull(signature)) session.setNote("Signature", signature.trim()); - if(isNotNull(sigAlg)) + if (isNotNull(sigAlg)) session.setNote("sigAlg", sigAlg.trim()); - } - + } + //Lets check if the user has been authenticated Principal userPrincipal = request.getPrincipal(); - if(userPrincipal == null) + if (userPrincipal == null) { try { //Next in the invocation chain - getNext().invoke(request, response); + getNext().invoke(request, response); } finally { userPrincipal = request.getPrincipal(); referer = request.getHeader("Referer"); - if(trace) - log.trace("Referer in finally block="+ referer + ":user principal=" + userPrincipal); + if (trace) + log.trace("Referer in finally block=" + referer + ":user principal=" + userPrincipal); } } - - + IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration, keyManager); - webRequestUtil.setAttributeManager(this.attribManager); - webRequestUtil.setAttributeKeys(attributeKeys); - + Document samlErrorResponse = null; //Look for unauthorized status - if(response.getStatus() == HttpServletResponse.SC_FORBIDDEN) + if (response.getStatus() == HttpServletResponse.SC_FORBIDDEN) { try { - samlErrorResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); - + samlErrorResponse = webRequestUtil.getErrorResponse(referer, + JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL, this.signOutgoingMessages); + WebRequestUtilHolder holder = webRequestUtil.getHolder(); - holder.setResponseDoc(samlErrorResponse).setDestination(referer).setRelayState(relayState).setAreWeSendingRequest(false) - .setPrivateKey(null).setSupportSignature(false).setServletResponse(response); - holder.setPostBindingRequested( webRequestUtil.hasSAMLRequestInPostProfile() ); - - if(this.signOutgoingMessages) + holder.setResponseDoc(samlErrorResponse).setDestination(referer).setRelayState(relayState) + .setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false) + .setServletResponse(response); + holder.setPostBindingRequested(webRequestUtil.hasSAMLRequestInPostProfile()); + + if (this.signOutgoingMessages) { - holder.setSupportSignature(true).setPrivateKey( keyManager.getSigningKey() ); + holder.setSupportSignature(true).setPrivateKey(keyManager.getSigningKey()); webRequestUtil.send(holder); //webRequestUtil.send(samlErrorResponse, referer, relayState, response, true, //this.keyManager.getSigningKey(), false); - } - else - { - // webRequestUtil.send(samlErrorResponse, referer,relayState, response, false,null, false); - } - webRequestUtil.send(holder); - } + webRequestUtil.send(holder); + } catch (GeneralSecurityException e) { throw new ServletException(e); - } + } return; - } - - if(userPrincipal != null) + } + + if (userPrincipal != null) { /** * Since the container has finished the authentication, @@ -329,30 +321,30 @@ relayState = (String) session.getNote(GeneralConstants.RELAY_STATE); signature = (String) session.getNote("Signature"); sigAlg = (String) session.getNote("sigAlg"); - - if(trace) + + if (trace) { StringBuilder builder = new StringBuilder(); builder.append("Retrieved saml messages and relay state from session"); builder.append("saml Request message=").append(samlRequestMessage); builder.append("::").append("SAMLResponseMessage="); builder.append(samlResponseMessage).append(":").append("relay state=").append(relayState); - + builder.append("Signature=").append(signature).append("::sigAlg=").append(sigAlg); log.trace(builder.toString()); } - - if(isNotNull(samlRequestMessage)) - session.removeNote(GeneralConstants.SAML_REQUEST_KEY); - if(isNotNull(samlResponseMessage)) + + if (isNotNull(samlRequestMessage)) + session.removeNote(GeneralConstants.SAML_REQUEST_KEY); + if (isNotNull(samlResponseMessage)) session.removeNote(GeneralConstants.SAML_RESPONSE_KEY); - - if(isNotNull(relayState)) + + if (isNotNull(relayState)) session.removeNote(GeneralConstants.RELAY_STATE); - - if(isNotNull(signature)) + + if (isNotNull(signature)) session.removeNote("Signature"); - if(isNotNull(sigAlg)) + if (isNotNull(sigAlg)) session.removeNote("sigAlg"); boolean willSendRequest = false; @@ -362,262 +354,250 @@ Document samlResponse = null; String destination = null; - + Boolean requestedPostProfile = null; - - + //Send valid saml response after processing the request - if(samlRequestMessage != null) + if (samlRequestMessage != null) { //Get the SAML Request Message - RequestAbstractType requestAbstractType = null; - - try + RequestAbstractType requestAbstractType = null; + + try + { + samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage); + samlObject = samlDocumentHolder.getSamlObject(); + + boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); + boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder( + samlRequestMessage, signature, sigAlg), isPost); + + if (!isValid) + throw new GeneralSecurityException("Validation check failed"); + + String issuer = null; + IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); + ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext()); + //Create the request/response + SAML2HandlerRequest saml2HandlerRequest = new DefaultSAML2HandlerRequest(protocolContext, + idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP); + saml2HandlerRequest.setRelayState(relayState); + + String assertionID = (String) session.getSession().getAttribute(GeneralConstants.ASSERTION_ID); + + //Set the options on the handler request + Map<String, Object> requestOptions = new HashMap<String, Object>(); + if (this.ignoreIncomingSignatures) + requestOptions.put(GeneralConstants.IGNORE_SIGNATURES, Boolean.TRUE); + requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator); + requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY, this.assertionValidity); + requestOptions.put(GeneralConstants.CONFIGURATION, this.idpConfiguration); + if (assertionID != null) + requestOptions.put(GeneralConstants.ASSERTION_ID, assertionID); + + if (this.keyManager != null) { - samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage); - samlObject = (SAML2Object) samlDocumentHolder.getSamlObject(); - - - boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); - boolean isValid = validate(request.getRemoteAddr(), - request.getQueryString(), - new SessionHolder(samlRequestMessage, signature, sigAlg), isPost); - - if(!isValid) - throw new GeneralSecurityException("Validation check failed"); + String remoteHost = request.getRemoteAddr(); + if (trace) + { + log.trace("Remote Host=" + remoteHost); + } + PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost); + requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey); + requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey()); + } - String issuer = null; - IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); - //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - idpIssuer.getIssuer(), samlDocumentHolder, - HANDLER_TYPE.IDP); - saml2HandlerRequest.setRelayState(relayState); - - String assertionID = (String) session.getSession().getAttribute( GeneralConstants.ASSERTION_ID ); - - //Set the options on the handler request - Map<String, Object> requestOptions = new HashMap<String, Object>(); - if(this.ignoreIncomingSignatures) - requestOptions.put(GeneralConstants.IGNORE_SIGNATURES, Boolean.TRUE); - requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator); - requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY, this.assertionValidity); - requestOptions.put(GeneralConstants.CONFIGURATION, this.idpConfiguration); - if( assertionID != null ) - requestOptions.put(GeneralConstants.ASSERTION_ID, assertionID ); - - if(this.keyManager != null) + Map<String, Object> attribs = this.attribManager.getAttributes(userPrincipal, attributeKeys); + requestOptions.put(GeneralConstants.ATTRIBUTES, attribs); + + saml2HandlerRequest.setOptions(requestOptions); + + List<String> roles = roleGenerator.generateRoles(userPrincipal); + session.getSession().setAttribute(GeneralConstants.ROLES_ID, roles); + + SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + + Set<SAML2Handler> handlers = chain.handlers(); + + if (trace) + { + log.trace("Handlers are=" + handlers); + } + + if (samlObject instanceof RequestAbstractType) + { + requestAbstractType = (RequestAbstractType) samlObject; + issuer = requestAbstractType.getIssuer().getValue(); + webRequestUtil.isTrusted(issuer); + + if (handlers != null) { - String remoteHost = request.getRemoteAddr(); - if(trace) + try { - log.trace("Remote Host=" + remoteHost); + chainLock.lock(); + for (SAML2Handler handler : handlers) + { + handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); + willSendRequest = saml2HandlerResponse.getSendRequest(); + } } - PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost ); - requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey); - requestOptions.put( GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey() ); + finally + { + chainLock.unlock(); + } } - - Map<String,Object> attribs = this.attribManager.getAttributes(userPrincipal, attributeKeys); - requestOptions.put(GeneralConstants.ATTRIBUTES, attribs); - - saml2HandlerRequest.setOptions(requestOptions); - - List<String> roles = roleGenerator.generateRoles(userPrincipal); - session.getSession().setAttribute(GeneralConstants.ROLES_ID, roles); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + } + else + throw new RuntimeException("Unknown type:" + samlObject.getClass().getName()); - Set<SAML2Handler> handlers = chain.handlers(); - - if(trace) + samlResponse = saml2HandlerResponse.getResultingDocument(); + relayState = saml2HandlerResponse.getRelayState(); + + destination = saml2HandlerResponse.getDestination(); + + requestedPostProfile = saml2HandlerResponse.isPostBindingForResponse(); + } + catch (IssuerNotTrustedException e) + { + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, + JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL, this.signOutgoingMessages); + } + catch (ParsingException e) + { + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + catch (ConfigurationException e) + { + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + catch (IssueInstantMissingException e) + { + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + catch (GeneralSecurityException e) + { + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + catch (Exception e) + { + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + finally + { + try + { + boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile(); + if (postProfile) + recycle(response); + + WebRequestUtilHolder holder = webRequestUtil.getHolder(); + holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState) + .setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false) + .setServletResponse(response); + + if (requestedPostProfile != null) + holder.setPostBindingRequested(requestedPostProfile); + else + holder.setPostBindingRequested(postProfile); + + if (this.signOutgoingMessages) { - log.trace("Handlers are=" + handlers); + holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true); } - - if(samlObject instanceof RequestAbstractType) - { - requestAbstractType = (RequestAbstractType) samlObject; - issuer = requestAbstractType.getIssuer().getValue(); - webRequestUtil.isTrusted(issuer); - - if(handlers != null) - { - try - { - chainLock.lock(); - for(SAML2Handler handler: handlers) - { - handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); - willSendRequest = saml2HandlerResponse.getSendRequest(); - } - } - finally - { - chainLock.unlock(); - } - } - } - else - throw new RuntimeException("Unknown type:" + samlObject.getClass().getName()); - samlResponse = saml2HandlerResponse.getResultingDocument(); - relayState = saml2HandlerResponse.getRelayState(); - - destination = saml2HandlerResponse.getDestination(); - - requestedPostProfile = saml2HandlerResponse.isPostBindingForResponse(); + webRequestUtil.send(holder); } - catch (IssuerNotTrustedException e) - { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), - this.identityURL, this.signOutgoingMessages); - } catch (ParsingException e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Parsing exception:", e); } - catch (ConfigurationException e) + catch (GeneralSecurityException e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Security Exception:", e); } - catch (IssueInstantMissingException e) - { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); - } - catch(GeneralSecurityException e) - { - if(trace) log.trace("Exception in processing request:", e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); - } - catch(Exception e) - { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); - } - finally - { - try - { - boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile(); - if( postProfile ) - recycle(response); - - - WebRequestUtilHolder holder = webRequestUtil.getHolder(); - holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest(willSendRequest) - .setPrivateKey(null).setSupportSignature(false).setServletResponse(response); - - if( requestedPostProfile != null ) - holder.setPostBindingRequested( requestedPostProfile ); - else - holder.setPostBindingRequested(postProfile); - - if(this.signOutgoingMessages) - { - holder.setPrivateKey( keyManager.getSigningKey() ).setSupportSignature( true ); - } - - webRequestUtil.send(holder); - } - catch (ParsingException e) - { - if(trace) log.trace("Parsing exception:", e); - } - catch (GeneralSecurityException e) - { - if(trace) log.trace("Security Exception:",e); - } - } + } return; } - else if(isNotNull(samlResponseMessage)) + else if (isNotNull(samlResponseMessage)) { StatusResponseType statusResponseType = null; try { samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlResponseMessage); - samlObject = (SAML2Object) samlDocumentHolder.getSamlObject(); - + samlObject = samlDocumentHolder.getSamlObject(); + boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); boolean isValid = false; - + String remoteAddress = request.getRemoteAddr(); - - if(isPost) + + if (isPost) { //Validate - SAML2Signature samlSignature = new SAML2Signature(); - - if( ignoreIncomingSignatures == false && signOutgoingMessages == true ) + SAML2Signature samlSignature = new SAML2Signature(); + + if (ignoreIncomingSignatures == false && signOutgoingMessages == true) { PublicKey publicKey = keyManager.getValidatingKey(remoteAddress); - isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey); + isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey); } else isValid = true; } else - { - isValid = validate(remoteAddress, - request.getQueryString(), - new SessionHolder(samlResponseMessage, signature, sigAlg), isPost); + { + isValid = validate(remoteAddress, request.getQueryString(), new SessionHolder(samlResponseMessage, + signature, sigAlg), isPost); } - - if(!isValid) + + if (!isValid) throw new GeneralSecurityException("Validation check failed"); String issuer = null; IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context.getServletContext()); + ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext()); //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - idpIssuer.getIssuer(), samlDocumentHolder, - HANDLER_TYPE.IDP); + SAML2HandlerRequest saml2HandlerRequest = new DefaultSAML2HandlerRequest(protocolContext, + idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP); saml2HandlerRequest.setRelayState(relayState); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + Set<SAML2Handler> handlers = chain.handlers(); - - if(samlObject instanceof StatusResponseType) + + if (samlObject instanceof StatusResponseType) { statusResponseType = (StatusResponseType) samlObject; issuer = statusResponseType.getIssuer().getValue(); webRequestUtil.isTrusted(issuer); - - if(handlers != null) - { + + if (handlers != null) + { try { chainLock.lock(); @@ -631,149 +611,147 @@ finally { chainLock.unlock(); - } - } + } + } } else throw new RuntimeException("Unknown type:" + samlObject.getClass().getName()); samlResponse = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); - + destination = saml2HandlerResponse.getDestination(); requestedPostProfile = saml2HandlerResponse.isPostBindingForResponse(); } catch (IssuerNotTrustedException e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, + JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL, this.signOutgoingMessages); } catch (ParsingException e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } catch (ConfigurationException e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } catch (IssueInstantMissingException e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); - } - catch(GeneralSecurityException e) + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + catch (GeneralSecurityException e) { - if(trace) log.trace("Exception in processing request:", e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } - catch(Exception e) + catch (Exception e) { - if(trace) log.trace("Exception in processing request:",e); - - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("Exception in processing request:", e); + + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } finally { try { - boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile(); - if( postProfile ) + boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile(); + if (postProfile) recycle(response); - + WebRequestUtilHolder holder = webRequestUtil.getHolder(); - holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest(willSendRequest) - .setPrivateKey(null).setSupportSignature(false).setServletResponse(response).setPostBindingRequested( requestedPostProfile ); - - if( requestedPostProfile != null ) - holder.setPostBindingRequested( requestedPostProfile ); + holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState) + .setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false) + .setServletResponse(response).setPostBindingRequested(requestedPostProfile); + + if (requestedPostProfile != null) + holder.setPostBindingRequested(requestedPostProfile); else holder.setPostBindingRequested(postProfile); - - - if(this.signOutgoingMessages) - { - holder.setPrivateKey( keyManager.getSigningKey() ).setSupportSignature( true ); - } - webRequestUtil.send( holder ); + + if (this.signOutgoingMessages) + { + holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true); + } + webRequestUtil.send(holder); } catch (ParsingException e) { - if(trace) log.trace("Parsing exception:", e); - } + if (trace) + log.trace("Parsing exception:", e); + } catch (GeneralSecurityException e) { - if(trace) log.trace("Security Exception:",e); + if (trace) + log.trace("Security Exception:", e); } - } - return; + } + return; } else { log.error("No SAML Request or Response Message"); - if(trace) log.trace("Referer="+referer); - + if (trace) + log.trace("Referer=" + referer); + try { sendErrorResponseToSP(referer, response, relayState, webRequestUtil); } catch (ConfigurationException e) { - if(trace) log.trace(e); - } - } - } + if (trace) + log.trace(e); + } + } + } } - + protected void sendErrorResponseToSP(String referrer, Response response, String relayState, IDPWebRequestUtil webRequestUtil) throws ServletException, IOException, ConfigurationException { - if(trace) log.trace("About to send error response to SP:" + referrer); - - Document samlResponse = - webRequestUtil.getErrorResponse(referrer, JBossSAMLURIConstants.STATUS_RESPONDER.get(), - this.identityURL, this.signOutgoingMessages); + if (trace) + log.trace("About to send error response to SP:" + referrer); + + Document samlResponse = webRequestUtil.getErrorResponse(referrer, JBossSAMLURIConstants.STATUS_RESPONDER.get(), + this.identityURL, this.signOutgoingMessages); try { - boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile(); - if( postProfile ) + boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile(); + if (postProfile) recycle(response); - WebRequestUtilHolder holder = webRequestUtil.getHolder(); - holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState).setAreWeSendingRequest( false ) - .setPrivateKey(null).setSupportSignature(false).setServletResponse(response); + holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState) + .setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false) + .setServletResponse(response); holder.setPostBindingRequested(postProfile); - - if(this.signOutgoingMessages) - { + + if (this.signOutgoingMessages) + { holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true); - } + } webRequestUtil.send(holder); } catch (ParsingException e1) @@ -781,15 +759,14 @@ throw new ServletException(e1); } catch (GeneralSecurityException e) - { + { throw new ServletException(e); - } + } } - - protected boolean validate(String remoteAddress, - String queryString, - SessionHolder holder, boolean isPost) throws IOException, GeneralSecurityException - { + + protected boolean validate(String remoteAddress, String queryString, SessionHolder holder, boolean isPost) + throws IOException, GeneralSecurityException + { if (!isNotNull(holder.samlRequest)) { return false; @@ -803,12 +780,12 @@ log.error("Signature received from SP is null:" + remoteAddress); return false; } - + //Check if there is a signature byte[] sigValue = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString); - if(sigValue == null) + if (sigValue == null) return false; - + PublicKey validatingKey; try { @@ -822,7 +799,7 @@ { throw new GeneralSecurityException(e.getCause()); } - + return RedirectBindingSignatureUtil.validateSignature(queryString, validatingKey, sigValue); } else @@ -831,7 +808,7 @@ return true; } } - + //***************Lifecycle /** * The lifecycle event support for this component. @@ -848,33 +825,30 @@ * * @param listener The listener to add */ - public void addLifecycleListener(LifecycleListener listener) + public void addLifecycleListener(LifecycleListener listener) { - lifecycle.addLifecycleListener(listener); + lifecycle.addLifecycleListener(listener); } - /** * Get the lifecycle listeners associated with this lifecycle. If this * Lifecycle has no listeners registered, a zero-length array is returned. */ - public LifecycleListener[] findLifecycleListeners() + public LifecycleListener[] findLifecycleListeners() { - return lifecycle.findLifecycleListeners(); + return lifecycle.findLifecycleListeners(); } - /** * Remove a lifecycle event listener from this component. * * @param listener The listener to add */ - public void removeLifecycleListener(LifecycleListener listener) + public void removeLifecycleListener(LifecycleListener listener) { - lifecycle.removeLifecycleListener(listener); + lifecycle.removeLifecycleListener(listener); } - /** * Prepare for the beginning of active use of the public methods of this * component. This method should be called after <code>configure()</code>, @@ -886,17 +860,16 @@ public void start() throws LifecycleException { Handlers handlers = null; - - // Validate and update our current component state - if (started) - throw new LifecycleException - ("IDPWebBrowserSSOValve already Started"); - lifecycle.fireLifecycleEvent(START_EVENT, null); - started = true; - - //Get the chain from config - if(StringUtil.isNullOrEmpty(samlHandlerChainClass)) - chain = SAML2HandlerChainFactory.createChain(); + + // Validate and update our current component state + if (started) + throw new LifecycleException("IDPWebBrowserSSOValve already Started"); + lifecycle.fireLifecycleEvent(START_EVENT, null); + started = true; + + //Get the chain from config + if (StringUtil.isNullOrEmpty(samlHandlerChainClass)) + chain = SAML2HandlerChainFactory.createChain(); else try { @@ -906,142 +879,144 @@ { throw new LifecycleException(e1); } - - String configFile = GeneralConstants.CONFIG_FILE_LOCATION; - - context = (Context) getContainer(); - InputStream is = context.getServletContext().getResourceAsStream(configFile); - if(is == null) - throw new RuntimeException(configFile + " missing"); - try - { - idpConfiguration = ConfigurationUtil.getIDPConfiguration(is); - this.identityURL = idpConfiguration.getIdentityURL(); - if(trace) log.trace("Identity Provider URL=" + this.identityURL); - this.assertionValidity = idpConfiguration.getAssertionValidity(); - this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod(); - log.info( "IDPWebBrowserSSOValve:: Setting the CanonicalizationMethod on XMLSignatureUtil::" + canonicalizationMethod ); - XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod); - - //Get the attribute manager - String attributeManager = idpConfiguration.getAttributeManager(); - if(attributeManager != null && !"".equals(attributeManager)) - { - ClassLoader tcl = SecurityActions.getContextClassLoader(); - AttributeManager delegate = (AttributeManager) tcl.loadClass(attributeManager).newInstance(); - this.attribManager.setDelegate(delegate); - } - } - catch (Exception e) - { - throw new RuntimeException(e); - } - - //Ensure that the Core STS has the SAML20 Token Provider - PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); - //Let us look for a file - String configPath = context.getServletContext().getRealPath( "/WEB-INF/picketlink-sts.xml" ); - File stsTokenConfigFile = configPath != null ? new File( configPath ) : null ; - - if( stsTokenConfigFile == null || stsTokenConfigFile.exists() == false ) - { - log.info( "Did not find picketlink-sts.xml. We will install default configuration" ); - sts.installDefaultConfiguration(); - } - else - sts.installDefaultConfiguration( configPath ); - - if(this.signOutgoingMessages) - { - KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider(); - if(keyProvider == null) - throw new LifecycleException("Key Provider is null for context=" + context.getName()); - - try - { - this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider); - - List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider); - keyManager.setAuthProperties( authProperties ); - keyManager.setValidatingAlias(keyProvider.getValidatingAlias()); - } - catch(Exception e) - { - log.error("Exception reading configuration:",e); - throw new LifecycleException(e.getLocalizedMessage()); - } - if(trace) log.trace("Key Provider=" + keyProvider.getClassName()); - } - - try - { - //Get the handlers - String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; - handlers = ConfigurationUtil.getHandlers(context.getServletContext().getResourceAsStream(handlerConfigFileName)); - chain.addAll(HandlerUtil.getHandlers(handlers)); - - Map<String, Object> chainConfigOptions = new HashMap<String, Object>(); - chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator); - chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration); - chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD, canonicalizationMethod ); - if(this.keyManager != null) + + String configFile = GeneralConstants.CONFIG_FILE_LOCATION; + + context = (Context) getContainer(); + InputStream is = context.getServletContext().getResourceAsStream(configFile); + if (is == null) + throw new RuntimeException(configFile + " missing"); + try + { + idpConfiguration = ConfigurationUtil.getIDPConfiguration(is); + this.identityURL = idpConfiguration.getIdentityURL(); + if (trace) + log.trace("Identity Provider URL=" + this.identityURL); + this.assertionValidity = idpConfiguration.getAssertionValidity(); + this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod(); + log.info("IDPWebBrowserSSOValve:: Setting the CanonicalizationMethod on XMLSignatureUtil::" + + canonicalizationMethod); + XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod); + + //Get the attribute manager + String attributeManager = idpConfiguration.getAttributeManager(); + if (attributeManager != null && !"".equals(attributeManager)) + { + ClassLoader tcl = SecurityActions.getContextClassLoader(); + AttributeManager delegate = (AttributeManager) tcl.loadClass(attributeManager).newInstance(); + this.attribManager.setDelegate(delegate); + } + } + catch (Exception e) + { + throw new RuntimeException(e); + } + + //Ensure that the Core STS has the SAML20 Token Provider + PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); + //Let us look for a file + String configPath = context.getServletContext().getRealPath("/WEB-INF/picketlink-sts.xml"); + File stsTokenConfigFile = configPath != null ? new File(configPath) : null; + + if (stsTokenConfigFile == null || stsTokenConfigFile.exists() == false) + { + log.info("Did not find picketlink-sts.xml. We will install default configuration"); + sts.installDefaultConfiguration(); + } + else + sts.installDefaultConfiguration(configPath); + + if (this.signOutgoingMessages) + { + KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider(); + if (keyProvider == null) + throw new LifecycleException("Key Provider is null for context=" + context.getName()); + + try + { + this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider); + + List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider); + keyManager.setAuthProperties(authProperties); + keyManager.setValidatingAlias(keyProvider.getValidatingAlias()); + } + catch (Exception e) + { + log.error("Exception reading configuration:", e); + throw new LifecycleException(e.getLocalizedMessage()); + } + if (trace) + log.trace("Key Provider=" + keyProvider.getClassName()); + } + + try + { + //Get the handlers + String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; + handlers = ConfigurationUtil.getHandlers(context.getServletContext() + .getResourceAsStream(handlerConfigFileName)); + chain.addAll(HandlerUtil.getHandlers(handlers)); + + Map<String, Object> chainConfigOptions = new HashMap<String, Object>(); + chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator); + chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration); + chainConfigOptions.put(GeneralConstants.CANONICALIZATION_METHOD, canonicalizationMethod); + if (this.keyManager != null) chainConfigOptions.put(GeneralConstants.KEYPAIR, keyManager.getSigningKeyPair()); - - SAML2HandlerChainConfig handlerChainConfig = new DefaultSAML2HandlerChainConfig(chainConfigOptions); - - Set<SAML2Handler> samlHandlers = chain.handlers(); - - for(SAML2Handler handler: samlHandlers) - { - handler.initChainConfig(handlerChainConfig); - } - } - catch(Exception e) - { - log.error("Exception dealing with handler configuration:",e); - throw new LifecycleException(e.getLocalizedMessage()); - } - - //Add some keys to the attibutes - String[] ak = new String[] {"mail","cn","commonname","givenname", - "surname","employeeType", - "employeeNumber", - "facsimileTelephoneNumber"}; - - this.attributeKeys.addAll(Arrays.asList(ak)); - - //The Identity Server on the servlet context gets set - //in the implementation of IdentityServer - //Create an Identity Server and set it on the context - IdentityServer identityServer = (IdentityServer) context.getServletContext().getAttribute(GeneralConstants.IDENTITY_SERVER); - if(identityServer == null) - { - identityServer = new IdentityServer(); - context.getServletContext().setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer); - if( StringUtil.isNotNull( this.identityParticipantStack )) - { - try + + SAML2HandlerChainConfig handlerChainConfig = new DefaultSAML2HandlerChainConfig(chainConfigOptions); + + Set<SAML2Handler> samlHandlers = chain.handlers(); + + for (SAML2Handler handler : samlHandlers) + { + handler.initChainConfig(handlerChainConfig); + } + } + catch (Exception e) + { + log.error("Exception dealing with handler configuration:", e); + throw new LifecycleException(e.getLocalizedMessage()); + } + + //Add some keys to the attibutes + String[] ak = new String[] + {"mail", "cn", "commonname", "givenname", "surname", "employeeType", "employeeNumber", "facsimileTelephoneNumber"}; + + this.attributeKeys.addAll(Arrays.asList(ak)); + + //The Identity Server on the servlet context gets set + //in the implementation of IdentityServer + //Create an Identity Server and set it on the context + IdentityServer identityServer = (IdentityServer) context.getServletContext().getAttribute( + GeneralConstants.IDENTITY_SERVER); + if (identityServer == null) + { + identityServer = new IdentityServer(); + context.getServletContext().setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer); + if (StringUtil.isNotNull(this.identityParticipantStack)) + { + try { - Class<?> stackClass = SecurityActions.getContextClassLoader().loadClass( this.identityParticipantStack ); - identityServer.setStack( (IdentityParticipantStack) stackClass.newInstance() ); + Class<?> stackClass = SecurityActions.getContextClassLoader().loadClass(this.identityParticipantStack); + identityServer.setStack((IdentityParticipantStack) stackClass.newInstance()); } catch (ClassNotFoundException e) - { - log.error( "Unable to set the Identity Participant Stack Class. Will just use the default", e ); + { + log.error("Unable to set the Identity Participant Stack Class. Will just use the default", e); } catch (InstantiationException e) { - log.error( "Unable to set the Identity Participant Stack Class. Will just use the default", e ); + log.error("Unable to set the Identity Participant Stack Class. Will just use the default", e); } catch (IllegalAccessException e) { - log.error( "Unable to set the Identity Participant Stack Class. Will just use the default", e ); + log.error("Unable to set the Identity Participant Stack Class. Will just use the default", e); } - } - } + } + } } - /** * Gracefully terminate the active use of the public methods of this * component. This method should be the last one called on a given @@ -1050,31 +1025,33 @@ * @exception LifecycleException if this component detects a fatal error * that needs to be reported */ - public void stop() throws LifecycleException + public void stop() throws LifecycleException { - // Validate and update our current component state - if (!started) - throw new LifecycleException - ("IDPWebBrowserSSOValve NotStarted"); - lifecycle.fireLifecycleEvent(STOP_EVENT, null); - started = false; - } + // Validate and update our current component state + if (!started) + throw new LifecycleException("IDPWebBrowserSSOValve NotStarted"); + lifecycle.fireLifecycleEvent(STOP_EVENT, null); + started = false; + } + //Private Methods - + protected static class SessionHolder { String samlRequest; + String signature; - String sigAlg; - + + String sigAlg; + public SessionHolder(String req, String sig, String alg) { this.samlRequest = req; this.signature = sig; - this.sigAlg = alg; + this.sigAlg = alg; } } - + private void recycle(Response response) { /** Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2011-03-15 16:39:35 UTC (rev 811) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2011-03-15 17:14:01 UTC (rev 812) @@ -21,6 +21,8 @@ */ package org.picketlink.identity.federation.web.servlets; +import static org.picketlink.identity.federation.core.util.StringUtil.isNotNull; + import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -67,11 +69,11 @@ import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler; +import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChainConfig; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; -import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; -import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; +import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil; import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS; import org.picketlink.identity.federation.core.util.CoreConfigUtil; @@ -79,7 +81,7 @@ import org.picketlink.identity.federation.core.util.XMLSignatureUtil; import org.picketlink.identity.federation.newmodel.saml.v2.protocol.RequestAbstractType; import org.picketlink.identity.federation.newmodel.saml.v2.protocol.StatusResponseType; -import org.picketlink.identity.federation.saml.v2.SAML2Object; +import org.picketlink.identity.federation.saml.v2.SAML2Object; import org.picketlink.identity.federation.web.constants.GeneralConstants; import org.picketlink.identity.federation.web.core.HTTPContext; import org.picketlink.identity.federation.web.core.IdentityParticipantStack; @@ -87,13 +89,10 @@ import org.picketlink.identity.federation.web.roles.DefaultRoleGenerator; import org.picketlink.identity.federation.web.util.ConfigurationUtil; import org.picketlink.identity.federation.web.util.IDPWebRequestUtil; -import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil; import org.picketlink.identity.federation.web.util.IDPWebRequestUtil.WebRequestUtilHolder; +import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil; import org.w3c.dom.Document; - -import static org.picketlink.identity.federation.core.util.StringUtil.isNotNull; - /** * SAML Web Browser SSO - POST binding * @author Anil.Saldhana(a)redhat.com @@ -102,17 +101,19 @@ public class IDPServlet extends HttpServlet { private static final long serialVersionUID = 1L; + private static Logger log = Logger.getLogger(IDPServlet.class); - private boolean trace = log.isTraceEnabled(); - + + private final boolean trace = log.isTraceEnabled(); + protected transient IDPType idpConfiguration = null; protected transient RoleGenerator roleGenerator = new DefaultRoleGenerator(); - + protected transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager(); protected List<String> attributeKeys = new ArrayList<String>(); - + protected long assertionValidity = 5000; // 5 seconds in miliseconds protected String identityURL = null; @@ -121,12 +122,12 @@ protected Boolean ignoreIncomingSignatures = false; - protected Boolean signOutgoingMessages = true; - + protected Boolean signOutgoingMessages = true; + protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS; - + protected transient ServletContext context = null; - + protected transient SAML2HandlerChain chain = null; /** @@ -138,412 +139,395 @@ { return ignoreIncomingSignatures; } - + @Override public void init(ServletConfig config) throws ServletException { Handlers handlers = null; super.init(config); String configFile = GeneralConstants.CONFIG_FILE_LOCATION; - + context = config.getServletContext(); - + InputStream is = context.getResourceAsStream(configFile); - if(is == null) + if (is == null) throw new RuntimeException(configFile + " missing"); //Get the chain from config chain = new DefaultSAML2HandlerChain(); - + try { idpConfiguration = ConfigurationUtil.getIDPConfiguration(is); - this.identityURL = idpConfiguration.getIdentityURL(); - log.trace("Identity Provider URL=" + this.identityURL); + this.identityURL = idpConfiguration.getIdentityURL(); + log.trace("Identity Provider URL=" + this.identityURL); this.assertionValidity = idpConfiguration.getAssertionValidity(); - + this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod(); - log.info( "IDPServlet:: Setting the CanonicalizationMethod on XMLSignatureUtil::" + canonicalizationMethod ); + log.info("IDPServlet:: Setting the CanonicalizationMethod on XMLSignatureUtil::" + canonicalizationMethod); XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod); - + //Get the attribute manager String attributeManager = idpConfiguration.getAttributeManager(); - if(attributeManager != null && !"".equals(attributeManager)) + if (attributeManager != null && !"".equals(attributeManager)) { ClassLoader tcl = SecurityActions.getContextClassLoader(); AttributeManager delegate = (AttributeManager) tcl.loadClass(attributeManager).newInstance(); this.attribManager.setDelegate(delegate); } - + //Get the handlers String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; handlers = ConfigurationUtil.getHandlers(context.getResourceAsStream(handlerConfigFileName)); - chain.addAll(HandlerUtil.getHandlers(handlers)); - + chain.addAll(HandlerUtil.getHandlers(handlers)); + Map<String, Object> chainConfigOptions = new HashMap<String, Object>(); chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator); chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration); - chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD, canonicalizationMethod ); - + chainConfigOptions.put(GeneralConstants.CANONICALIZATION_METHOD, canonicalizationMethod); + SAML2HandlerChainConfig handlerChainConfig = new DefaultSAML2HandlerChainConfig(chainConfigOptions); Set<SAML2Handler> samlHandlers = chain.handlers(); - - for(SAML2Handler handler: samlHandlers) + + for (SAML2Handler handler : samlHandlers) { handler.initChainConfig(handlerChainConfig); - } + } } catch (Exception e) { throw new RuntimeException(e); } - + //Handle the sign outgoing messages String signOutgoingString = config.getInitParameter(GeneralConstants.SIGN_OUTGOING_MESSAGES); - if(signOutgoingString != null && !"".equals(signOutgoingString)) + if (signOutgoingString != null && !"".equals(signOutgoingString)) this.signOutgoingMessages = Boolean.parseBoolean(signOutgoingString); - - - if(this.signOutgoingMessages) + + if (this.signOutgoingMessages) { KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider(); - if(keyProvider == null) + if (keyProvider == null) throw new RuntimeException("Key Provider is null for context=" + context.getContextPath()); - + try { ClassLoader tcl = SecurityActions.getContextClassLoader(); String keyManagerClassName = keyProvider.getClassName(); - if(keyManagerClassName == null) + if (keyManagerClassName == null) throw new RuntimeException("KeyManager class name is null"); - + Class<?> clazz = tcl.loadClass(keyManagerClassName); this.keyManager = (TrustKeyManager) clazz.newInstance(); - + List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider); - - keyManager.setAuthProperties( authProperties ); + + keyManager.setAuthProperties(authProperties); keyManager.setValidatingAlias(keyProvider.getValidatingAlias()); } - catch(Exception e) + catch (Exception e) { - log.error("Exception reading configuration:",e); + log.error("Exception reading configuration:", e); throw new RuntimeException(e.getLocalizedMessage()); } - if(trace) - log.trace("Key Provider=" + keyProvider.getClassName()); + if (trace) + log.trace("Key Provider=" + keyProvider.getClassName()); } - + //handle the role generator String rgString = config.getInitParameter(GeneralConstants.ROLE_GENERATOR); - if(rgString != null && !"".equals(rgString)) + if (rgString != null && !"".equals(rgString)) this.setRoleGenerator(rgString); - + //Get a list of attributes we are interested in String attribList = config.getInitParameter(GeneralConstants.ATTRIBUTE_KEYS); - if(attribList != null && !"".equals(attribList)) + if (attribList != null && !"".equals(attribList)) { - StringTokenizer st = new StringTokenizer(attribList,","); - while(st != null && st.hasMoreTokens()) + StringTokenizer st = new StringTokenizer(attribList, ","); + while (st != null && st.hasMoreTokens()) { this.attributeKeys.add(st.nextToken()); } - } - + } + //The Identity Server on the servlet context gets set //in the implementation of IdentityServer //Create an Identity Server and set it on the context IdentityServer identityServer = (IdentityServer) context.getAttribute(GeneralConstants.IDENTITY_SERVER); - if(identityServer == null) + if (identityServer == null) { identityServer = new IdentityServer(); - context.setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer); - String theStackParam = config.getInitParameter( GeneralConstants.IDENTITY_PARTICIPANT_STACK ); - if( StringUtil.isNotNull( theStackParam ) ) + context.setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer); + String theStackParam = config.getInitParameter(GeneralConstants.IDENTITY_PARTICIPANT_STACK); + if (StringUtil.isNotNull(theStackParam)) { try { Class<?> stackClass = SecurityActions.getContextClassLoader().loadClass(theStackParam); - identityServer.setStack( (IdentityParticipantStack) stackClass.newInstance() ); + identityServer.setStack((IdentityParticipantStack) stackClass.newInstance()); } catch (ClassNotFoundException e) - { - log( "Unable to set the Identity Participant Stack Class. Will just use the default", e ); + { + log("Unable to set the Identity Participant Stack Class. Will just use the default", e); } catch (InstantiationException e) { - log( "Unable to set the Identity Participant Stack Class. Will just use the default", e ); + log("Unable to set the Identity Participant Stack Class. Will just use the default", e); } catch (IllegalAccessException e) { - log( "Unable to set the Identity Participant Stack Class. Will just use the default", e ); + log("Unable to set the Identity Participant Stack Class. Will just use the default", e); } } - } - + } + //Ensure the configuration in the STS PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); //Let us look for a file - String configPath = context.getRealPath( "/WEB-INF/picketlink-sts.xml" ); - File stsConfigFile = configPath != null ? new File( configPath ) : null; - - if( stsConfigFile == null || !stsConfigFile.exists() ) + String configPath = context.getRealPath("/WEB-INF/picketlink-sts.xml"); + File stsConfigFile = configPath != null ? new File(configPath) : null; + + if (stsConfigFile == null || !stsConfigFile.exists()) sts.installDefaultConfiguration(); else - sts.installDefaultConfiguration( configPath ); - } - - + sts.installDefaultConfiguration(configPath); + } + @SuppressWarnings("unchecked") @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { //Some issue with filters and servlets - HttpSession session = request.getSession(false); - + HttpSession session = request.getSession(false); + String samlRequestMessage = (String) session.getAttribute(GeneralConstants.SAML_REQUEST_KEY); String samlResponseMessage = (String) session.getAttribute(GeneralConstants.SAML_RESPONSE_KEY); String relayState = (String) session.getAttribute(GeneralConstants.RELAY_STATE); - - String referer = request.getHeader("Referer"); + String referer = request.getHeader("Referer"); + //See if the user has already been authenticated Principal userPrincipal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID); - if(userPrincipal == null) + if (userPrincipal == null) { //The sys admin has not set up the login servlet filters for the IDP - if(trace) + if (trace) log.trace("Login Filters have not been configured"); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); - } - - IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, - idpConfiguration, keyManager); - webRequestUtil.setAttributeManager(this.attribManager); - webRequestUtil.setAttributeKeys(attributeKeys); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + } + + IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration, keyManager); webRequestUtil.setCanonicalizationMethod(canonicalizationMethod); boolean willSendRequest = true; - - if(userPrincipal != null) + + if (userPrincipal != null) { - if(trace) + if (trace) { log.trace("Retrieved saml message and relay state from session"); - log.trace("saml Request message=" + samlRequestMessage + "::relay state="+ relayState); - log.trace("saml Response message=" + samlResponseMessage + "::relay state="+ relayState); + log.trace("saml Request message=" + samlRequestMessage + "::relay state=" + relayState); + log.trace("saml Response message=" + samlResponseMessage + "::relay state=" + relayState); } session.removeAttribute(GeneralConstants.SAML_REQUEST_KEY); session.removeAttribute(GeneralConstants.SAML_RESPONSE_KEY); - if(isNotNull(relayState)) + if (isNotNull(relayState)) session.removeAttribute(GeneralConstants.RELAY_STATE); - + SAMLDocumentHolder samlDocumentHolder = null; SAML2Object samlObject = null; String destination = null; Document samlResponse = null; - - if(samlResponseMessage != null) + + if (samlResponseMessage != null) { StatusResponseType statusResponseType = null; try { samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlResponseMessage); - samlObject = (SAML2Object) samlDocumentHolder.getSamlObject(); - + samlObject = samlDocumentHolder.getSamlObject(); + boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); - boolean isValid = validate(request.getRemoteAddr(), - request.getQueryString(), - new SessionHolder(samlResponseMessage, null), isPost); - - if(!isValid) + boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder( + samlResponseMessage, null), isPost); + + if (!isValid) throw new GeneralSecurityException("Validation check failed"); String issuer = null; IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context); + ProtocolContext protocolContext = new HTTPContext(request, response, context); //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - idpIssuer.getIssuer(), samlDocumentHolder, - HANDLER_TYPE.IDP); - + SAML2HandlerRequest saml2HandlerRequest = new DefaultSAML2HandlerRequest(protocolContext, + idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP); + saml2HandlerRequest.setRelayState(relayState); - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + Set<SAML2Handler> handlers = chain.handlers(); - - if(samlObject instanceof StatusResponseType) + + if (samlObject instanceof StatusResponseType) { statusResponseType = (StatusResponseType) samlObject; issuer = statusResponseType.getIssuer().getValue(); webRequestUtil.isTrusted(issuer); - - if(handlers != null) - { - for(SAML2Handler handler: handlers) + + if (handlers != null) + { + for (SAML2Handler handler : handlers) { handler.reset(); handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); willSendRequest = saml2HandlerResponse.getSendRequest(); - } - } + } + } } else throw new RuntimeException("Unknown type:" + samlObject.getClass().getName()); samlResponse = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); - + destination = saml2HandlerResponse.getDestination(); } - catch(Exception e) + catch (Exception e) { throw new RuntimeException(e); } - + } else //Send valid saml response after processing the request - if(samlRequestMessage != null) + if (samlRequestMessage != null) { //Get the SAML Request Message - RequestAbstractType requestAbstractType = null; - + RequestAbstractType requestAbstractType = null; + try - { + { samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage); - samlObject = (SAML2Object) samlDocumentHolder.getSamlObject(); - - + samlObject = samlDocumentHolder.getSamlObject(); + boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); - boolean isValid = validate(request.getRemoteAddr(), - request.getQueryString(), - new SessionHolder(samlRequestMessage, null), isPost); - - if(!isValid) + boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder( + samlRequestMessage, null), isPost); + + if (!isValid) throw new GeneralSecurityException("Validation check failed"); String issuer = null; IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); - ProtocolContext protocolContext = new HTTPContext(request,response, context); + ProtocolContext protocolContext = new HTTPContext(request, response, context); //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = - new DefaultSAML2HandlerRequest(protocolContext, - idpIssuer.getIssuer(), samlDocumentHolder, - HANDLER_TYPE.IDP); + SAML2HandlerRequest saml2HandlerRequest = new DefaultSAML2HandlerRequest(protocolContext, + idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP); saml2HandlerRequest.setRelayState(relayState); - + //Set the options on the handler request Map<String, Object> requestOptions = new HashMap<String, Object>(); requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator); requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY, this.assertionValidity); requestOptions.put(GeneralConstants.CONFIGURATION, this.idpConfiguration); - - Map<String,Object> attribs = this.attribManager.getAttributes(userPrincipal, attributeKeys); - requestOptions.put(GeneralConstants.ATTRIBUTES, attribs); - - saml2HandlerRequest.setOptions(requestOptions); - - List<String> roles = (List<String>) session.getAttribute(GeneralConstants.ROLES_ID); - if(roles == null) + + Map<String, Object> attribs = this.attribManager.getAttributes(userPrincipal, attributeKeys); + requestOptions.put(GeneralConstants.ATTRIBUTES, attribs); + + saml2HandlerRequest.setOptions(requestOptions); + + List<String> roles = (List<String>) session.getAttribute(GeneralConstants.ROLES_ID); + if (roles == null) { roles = roleGenerator.generateRoles(userPrincipal); session.setAttribute(GeneralConstants.ROLES_ID, roles); } - - SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); + Set<SAML2Handler> handlers = chain.handlers(); - - if(samlObject instanceof RequestAbstractType) + + if (samlObject instanceof RequestAbstractType) { requestAbstractType = (RequestAbstractType) samlObject; issuer = requestAbstractType.getIssuer().getValue(); webRequestUtil.isTrusted(issuer); - - if(handlers != null) - { - for(SAML2Handler handler: handlers) + + if (handlers != null) + { + for (SAML2Handler handler : handlers) { handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); willSendRequest = saml2HandlerResponse.getSendRequest(); - } - } - } + } + } + } else throw new RuntimeException("Unknown type:" + samlObject.getClass().getName()); samlResponse = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); - + destination = saml2HandlerResponse.getDestination(); - + } catch (IssuerNotTrustedException e) { - if(trace) log.trace("Exception:",e); + if (trace) + log.trace("Exception:", e); - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), - this.identityURL, this.signOutgoingMessages); + samlResponse = webRequestUtil.getErrorResponse(referer, + JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL, this.signOutgoingMessages); } catch (ParsingException e) { - if(trace) log.trace("Exception:",e); + if (trace) + log.trace("Exception:", e); - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } catch (ConfigurationException e) { - if(trace) log.trace("Exception:",e); + if (trace) + log.trace("Exception:", e); - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } catch (IssueInstantMissingException e) { - if(trace) log.trace("Exception:",e); + if (trace) + log.trace("Exception:", e); - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); - } - catch(GeneralSecurityException e) + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); + } + catch (GeneralSecurityException e) { - if(trace) log.trace("Security Exception:",e); + if (trace) + log.trace("Security Exception:", e); - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } - catch(Exception e) + catch (Exception e) { - if(trace) log.trace("Exception:",e); + if (trace) + log.trace("Exception:", e); - samlResponse = - webRequestUtil.getErrorResponse(referer, - JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), - this.identityURL, this.signOutgoingMessages); + samlResponse = webRequestUtil.getErrorResponse(referer, JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), + this.identityURL, this.signOutgoingMessages); } - + } else { log.error("No SAML Request Message"); - if(trace) log.trace("Referer="+referer); + if (trace) + log.trace("Referer=" + referer); try { @@ -552,25 +536,25 @@ } catch (ConfigurationException e) { - if(trace) log.trace(e); - } - } - + if (trace) + log.trace(e); + } + } + try - { - if(samlResponse == null) + { + if (samlResponse == null) throw new ServletException("SAML Response has not been generated"); - - WebRequestUtilHolder holder = webRequestUtil.getHolder(); - holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest( willSendRequest ) - .setPrivateKey(null).setSupportSignature(false).setServletResponse(response); + holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState) + .setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false) + .setServletResponse(response); holder.setPostBindingRequested(true); - - if(this.signOutgoingMessages) + + if (this.signOutgoingMessages) { - holder.setPrivateKey( keyManager.getSigningKey() ).setSupportSignature(true); + holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true); /*webRequestUtil.send(samlResponse, destination,relayState, response, true, this.keyManager.getSigningKey(), willSendRequest);*/ } @@ -581,41 +565,44 @@ } catch (ParsingException e) { - if(trace) log.trace(e); - } + if (trace) + log.trace(e); + } catch (GeneralSecurityException e) { - if(trace) log.trace(e); + if (trace) + log.trace(e); } return; - } + } } protected void sendErrorResponseToSP(String referrer, HttpServletResponse response, String relayState, IDPWebRequestUtil webRequestUtil) throws ServletException, IOException, ConfigurationException { - if(trace) log.trace("About to send error response to SP:" + referrer); + if (trace) + log.trace("About to send error response to SP:" + referrer); - Document samlResponse = - webRequestUtil.getErrorResponse(referrer, JBossSAMLURIConstants.STATUS_RESPONDER.get(), - this.identityURL, this.signOutgoingMessages); + Document samlResponse = webRequestUtil.getErrorResponse(referrer, JBossSAMLURIConstants.STATUS_RESPONDER.get(), + this.identityURL, this.signOutgoingMessages); try - { + { WebRequestUtilHolder holder = webRequestUtil.getHolder(); - holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState).setAreWeSendingRequest( false ) - .setPrivateKey(null).setSupportSignature(false).setServletResponse(response); + holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState) + .setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false) + .setServletResponse(response); holder.setPostBindingRequested(true); - - if(this.signOutgoingMessages) + + if (this.signOutgoingMessages) { - holder.setPrivateKey( keyManager.getSigningKey() ).setSupportSignature( true ); + holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true); /*webRequestUtil.send(samlResponse, referrer, relayState, response, true, this.keyManager.getSigningKey(), false);*/ } - - /* else - webRequestUtil.send(samlResponse, referrer, relayState, response, false,null, false);*/ + + /* else + webRequestUtil.send(samlResponse, referrer, relayState, response, false,null, false);*/ webRequestUtil.send(holder); } catch (ParsingException e1) @@ -623,34 +610,33 @@ throw new ServletException(e1); } catch (GeneralSecurityException e) - { + { throw new ServletException(e); - } - } + } + } @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); - } - + } protected static class SessionHolder { String samlRequest; - String signature; - + + String signature; + public SessionHolder(String req, String sig) { this.samlRequest = req; - this.signature = sig; + this.signature = sig; } } - - protected boolean validate(String remoteAddress, - String queryString, - SessionHolder holder, boolean isPost) throws IOException, GeneralSecurityException - { + + protected boolean validate(String remoteAddress, String queryString, SessionHolder holder, boolean isPost) + throws IOException, GeneralSecurityException + { if (holder.samlRequest == null || holder.samlRequest.length() == 0) { return false; @@ -664,12 +650,12 @@ log.error("Signature received from SP is null:" + remoteAddress); return false; } - + //Check if there is a signature byte[] sigValue = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString); - if(sigValue == null) + if (sigValue == null) return false; - + PublicKey validatingKey; try { @@ -683,7 +669,7 @@ { throw new GeneralSecurityException(e.getCause()); } - + return RedirectBindingSignatureUtil.validateSignature(queryString, validatingKey, sigValue); } else @@ -692,12 +678,12 @@ return true; } } - + public void testPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - this.doPost(request, response); + this.doPost(request, response); } - + private void setRoleGenerator(String rgName) { try @@ -708,6 +694,6 @@ catch (Exception e) { throw new RuntimeException(e); - } + } } } \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2011-03-15 16:39:35 UTC (rev 811) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2011-03-15 17:14:01 UTC (rev 812) @@ -30,10 +30,7 @@ import java.net.URL; import java.security.GeneralSecurityException; import java.security.KeyPair; -import java.security.Principal; import java.security.PrivateKey; -import java.util.List; -import java.util.Map; import java.util.StringTokenizer; import javax.servlet.http.HttpServletRequest; @@ -49,21 +46,16 @@ import org.picketlink.identity.federation.core.exceptions.ConfigurationException; import org.picketlink.identity.federation.core.exceptions.ParsingException; import org.picketlink.identity.federation.core.exceptions.ProcessingException; -import org.picketlink.identity.federation.core.interfaces.AttributeManager; import org.picketlink.identity.federation.core.interfaces.TrustKeyManager; import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator; import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; -import org.picketlink.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException; import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException; import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder; import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder; import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder; import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder; import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil; -import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil; -import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType; -import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType; import org.picketlink.identity.federation.newmodel.saml.v2.protocol.RequestAbstractType; import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType; import org.w3c.dom.Document; @@ -77,66 +69,53 @@ public class IDPWebRequestUtil { private static Logger log = Logger.getLogger(IDPWebRequestUtil.class); - private boolean trace = log.isTraceEnabled(); - + + private final boolean trace = log.isTraceEnabled(); + private boolean redirectProfile = false; + private boolean postProfile = false; - private IDPType idpConfiguration; - private TrustKeyManager keyManager; - private AttributeManager attributeManager; - private List<String> attribKeys; + private final IDPType idpConfiguration; + private final TrustKeyManager keyManager; + protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS; - + public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager keym) { this.idpConfiguration = idp; this.keyManager = keym; this.redirectProfile = "GET".equals(request.getMethod()); - this.postProfile = "POST".equals(request.getMethod()); - } - + this.postProfile = "POST".equals(request.getMethod()); + } + public String getCanonicalizationMethod() { return canonicalizationMethod; } - - public void setCanonicalizationMethod(String canonicalizationMethod) { this.canonicalizationMethod = canonicalizationMethod; } - - - public void setAttributeKeys(List<String> attribKeys) - { - this.attribKeys = attribKeys; - } - - public void setAttributeManager(AttributeManager attributeManager) - { - this.attributeManager = attributeManager; - } - public boolean hasSAMLRequestInRedirectProfile() { - return redirectProfile; + return redirectProfile; } - + public boolean hasSAMLRequestInPostProfile() { return postProfile; } - - public SAMLDocumentHolder getSAMLDocumentHolder(String samlMessage) - throws ParsingException, ConfigurationException, ProcessingException - { - InputStream is = null; - SAML2Request saml2Request = new SAML2Request(); - if(redirectProfile) + + public SAMLDocumentHolder getSAMLDocumentHolder(String samlMessage) throws ParsingException, ConfigurationException, + ProcessingException + { + InputStream is = null; + SAML2Request saml2Request = new SAML2Request(); + if (redirectProfile) { is = RedirectBindingUtil.base64DeflateDecode(samlMessage); } @@ -145,32 +124,33 @@ try { byte[] samlBytes = PostBindingUtil.base64Decode(samlMessage); - if(trace) log.trace("SAMLRequest=" + new String(samlBytes)); + if (trace) + log.trace("SAMLRequest=" + new String(samlBytes)); is = new ByteArrayInputStream(samlBytes); } - catch(Exception rte) + catch (Exception rte) { - if(trace) - log.trace("Error in base64 decoding saml message: "+rte); + if (trace) + log.trace("Error in base64 decoding saml message: " + rte); throw new ParsingException(rte); - } + } } saml2Request.getSAML2ObjectFromStream(is); return saml2Request.getSamlDocumentHolder(); } - - public RequestAbstractType getSAMLRequest(String samlMessage) - throws ParsingException, ConfigurationException, ProcessingException - { - InputStream is = null; - SAML2Request saml2Request = new SAML2Request(); - if(redirectProfile) + + public RequestAbstractType getSAMLRequest(String samlMessage) throws ParsingException, ConfigurationException, + ProcessingException + { + InputStream is = null; + SAML2Request saml2Request = new SAML2Request(); + if (redirectProfile) { try { - is = RedirectBindingUtil.base64DeflateDecode(samlMessage); + is = RedirectBindingUtil.base64DeflateDecode(samlMessage); } - catch(Exception e) + catch (Exception e) { log.error("Exception in parsing saml message:", e); throw new ParsingException(); @@ -179,113 +159,13 @@ else { byte[] samlBytes = PostBindingUtil.base64Decode(samlMessage); - if(trace) log.trace("SAMLRequest=" + new String(samlBytes)); + if (trace) + log.trace("SAMLRequest=" + new String(samlBytes)); is = new ByteArrayInputStream(samlBytes); } return saml2Request.getRequestType(is); - } - - - public Document getResponse( String assertionConsumerURL, - Principal userPrincipal, - List<String> roles, - String identityURL, - long assertionValidity, - boolean supportSignature) - throws ConfigurationException, IssueInstantMissingException, ProcessingException - { - Document samlResponseDocument = null; - - if(trace) - log.trace("AssertionConsumerURL=" + assertionConsumerURL + - "::assertion validity=" + assertionValidity); - ResponseType responseType = null; - - SAML2Response saml2Response = new SAML2Response(); - - //Create a response type - String id = IDGenerator.create("ID_"); - - IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL); - issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get()); - - IDPInfoHolder idp = new IDPInfoHolder(); - idp.setNameIDFormatValue(userPrincipal.getName()); - idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()); - - SPInfoHolder sp = new SPInfoHolder(); - sp.setResponseDestinationURI(assertionConsumerURL); - responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder); - - //Add information on the roles - AssertionType assertion = (AssertionType) responseType.getAssertions().get(0).getAssertion(); - - AttributeStatementType attrStatement = StatementUtil.createAttributeStatement(roles); - assertion.addStatement( attrStatement ); - - //Add timed conditions - saml2Response.createTimedConditions(assertion, assertionValidity); - - //Add in the attributes information - if(this.attributeManager != null) - { - try - { - Map<String, Object> attribs = - attributeManager.getAttributes(userPrincipal, this.attribKeys); - AttributeStatementType attStatement = StatementUtil.createAttributeStatement(attribs); - assertion.addStatement( attStatement ); - } - catch(Exception e) - { - log.error("Exception in generating attributes:",e); - } - } - - //Lets see how the response looks like - if(log.isTraceEnabled()) - { - StringWriter sw = new StringWriter(); - try - { - saml2Response.marshall(responseType, sw); - } - catch ( ProcessingException e) - { - log.trace(e); - } - log.trace("Response="+sw.toString()); - } - - if(trace) - log.trace("Support Sig=" + supportSignature + " ::Post Profile?=" + hasSAMLRequestInPostProfile()); - if(supportSignature && hasSAMLRequestInPostProfile()) - { - try - { - SAML2Signature saml2Signature = new SAML2Signature(); - samlResponseDocument = saml2Signature.sign(responseType, keyManager.getSigningKeyPair()); - } - catch (Exception e) - { - if(trace) log.trace(e); - } - } - else - try - { - samlResponseDocument = saml2Response.convert(responseType); - } - catch (Exception e) - { - if(trace) log.trace(e); - } - - return samlResponseDocument; } - - - + /** * Verify that the issuer is trusted * @param issuer @@ -293,101 +173,43 @@ */ public void isTrusted(String issuer) throws IssuerNotTrustedException { - if(idpConfiguration == null) + if (idpConfiguration == null) throw new IllegalStateException("IDP Configuration is null"); try { String issuerDomain = getDomain(issuer); - TrustType idpTrust = idpConfiguration.getTrust(); - if(idpTrust != null) + TrustType idpTrust = idpConfiguration.getTrust(); + if (idpTrust != null) { String domainsTrusted = idpTrust.getDomains(); - if(trace) - log.trace("Domains that IDP trusts="+domainsTrusted + " and issuer domain="+issuerDomain); - if(domainsTrusted.indexOf(issuerDomain) < 0) + if (trace) + log.trace("Domains that IDP trusts=" + domainsTrusted + " and issuer domain=" + issuerDomain); + if (domainsTrusted.indexOf(issuerDomain) < 0) { //Let us do string parts checking StringTokenizer st = new StringTokenizer(domainsTrusted, ","); - while(st != null && st.hasMoreTokens()) + while (st != null && st.hasMoreTokens()) { String uriBit = st.nextToken(); - if(trace) - log.trace("Matching uri bit="+ uriBit); - if(issuerDomain.indexOf(uriBit) > 0) + if (trace) + log.trace("Matching uri bit=" + uriBit); + if (issuerDomain.indexOf(uriBit) > 0) { - if(trace) - log.trace("Matched " + uriBit + " trust for " + issuerDomain ); + if (trace) + log.trace("Matched " + uriBit + " trust for " + issuerDomain); return; - } - } + } + } throw new IssuerNotTrustedException(issuer); - } + } } } catch (Exception e) { - throw new IssuerNotTrustedException(e.getLocalizedMessage(),e); + throw new IssuerNotTrustedException(e.getLocalizedMessage(), e); } } - - /** - * Send a response - * @param responseDoc - * @param relayState - * @param response - * @throws GeneralSecurityException - * @throws IOException - */ - /* public void send(Document responseDoc, String destination, - String relayState, - HttpServletResponse response, - boolean supportSignature, - PrivateKey signingKey, - boolean sendRequest) throws GeneralSecurityException, IOException - { - if(responseDoc == null) - throw new IllegalArgumentException("responseType is null"); - - if(redirectProfile) - { - byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); - - String urlEncodedResponse = RedirectBindingUtil.deflateBase64URLEncode(responseBytes); - - if(trace) log.trace("IDP:Destination=" + destination); - - if(isNotNull(relayState)) - relayState = RedirectBindingUtil.urlEncode(relayState); - - String finalDest = destination + getDestination(urlEncodedResponse, relayState, - supportSignature, sendRequest); - if(trace) log.trace("Redirecting to="+ finalDest); - HTTPRedirectUtil.sendRedirectForResponder(finalDest, response); - } - else - { - //If we support signature - if(supportSignature) - { - //Sign the document - SAML2Signature samlSignature = new SAML2Signature(); - - KeyPair keypair = keyManager.getSigningKeyPair(); - samlSignature.signSAMLDocument(responseDoc, keypair); - - if(trace) - log.trace("Sending over to SP:" + DocumentUtil.asString(responseDoc)); - } - byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); - - String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes)); - - PostBindingUtil.sendPost(new DestinationInfoHolder(destination, - samlResponse, relayState), response, sendRequest); - } - }*/ - /** * Send a response * @param responseDoc @@ -396,11 +218,11 @@ * @throws GeneralSecurityException * @throws IOException */ - public void send( WebRequestUtilHolder holder) throws GeneralSecurityException, IOException + public void send(WebRequestUtilHolder holder) throws GeneralSecurityException, IOException { Document responseDoc = holder.getResponseDoc(); - - if( responseDoc == null ) + + if (responseDoc == null) throw new IllegalArgumentException("responseType is null"); String destination = holder.getDestination(); @@ -408,48 +230,47 @@ boolean supportSignature = holder.isSupportSignature(); boolean sendRequest = holder.isAreWeSendingRequest(); HttpServletResponse response = holder.getServletResponse(); - - if(holder.isPostBindingRequested() == false) - { - byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); - + + if (holder.isPostBindingRequested() == false) + { + byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); + String urlEncodedResponse = RedirectBindingUtil.deflateBase64URLEncode(responseBytes); - - - if(trace) log.trace("IDP:Destination=" + destination); - if(isNotNull(relayState)) + if (trace) + log.trace("IDP:Destination=" + destination); + + if (isNotNull(relayState)) relayState = RedirectBindingUtil.urlEncode(relayState); - String finalDest = destination + getDestination(urlEncodedResponse, relayState, - supportSignature, sendRequest); - if(trace) log.trace("Redirecting to="+ finalDest); - HTTPRedirectUtil.sendRedirectForResponder(finalDest, response); - } + String finalDest = destination + getDestination(urlEncodedResponse, relayState, supportSignature, sendRequest); + if (trace) + log.trace("Redirecting to=" + finalDest); + HTTPRedirectUtil.sendRedirectForResponder(finalDest, response); + } else - { + { //If we support signature - if(supportSignature) + if (supportSignature) { //Sign the document - SAML2Signature samlSignature = new SAML2Signature(); + SAML2Signature samlSignature = new SAML2Signature(); KeyPair keypair = keyManager.getSigningKeyPair(); - samlSignature.signSAMLDocument(responseDoc, keypair); - - if(trace) - log.trace("Sending over to SP:" + DocumentUtil.asString(responseDoc)); + samlSignature.signSAMLDocument(responseDoc, keypair); + + if (trace) + log.trace("Sending over to SP:" + DocumentUtil.asString(responseDoc)); } - byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); - + byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); + String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes)); - - PostBindingUtil.sendPost(new DestinationInfoHolder(destination, - samlResponse, relayState), response, sendRequest); + + PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlResponse, relayState), response, + sendRequest); } - } - - + } + /** * Generate a Destination URL for the HTTPRedirect binding * with the saml response and relay state @@ -457,8 +278,8 @@ * @param urlEncodedRelayState * @return */ - public String getDestination(String urlEncodedResponse, String urlEncodedRelayState, - boolean supportSignature, boolean sendRequest) + public String getDestination(String urlEncodedResponse, String urlEncodedRelayState, boolean supportSignature, + boolean sendRequest) { StringBuilder sb = new StringBuilder(); @@ -472,12 +293,13 @@ } catch (Exception e) { - if(trace) log.trace(e); + if (trace) + log.trace(e); } } else { - if(sendRequest) + if (sendRequest) sb.append("?SAMLRequest=").append(urlEncodedResponse); else sb.append("?SAMLResponse=").append(urlEncodedResponse); @@ -486,12 +308,12 @@ } return sb.toString(); } - + public WebRequestUtilHolder getHolder() { return new WebRequestUtilHolder(); } - + /** * Create an Error Response * @param responseURL @@ -501,18 +323,17 @@ * @return * @throws ConfigurationException */ - public Document getErrorResponse(String responseURL, String status, - String identityURL, boolean supportSignature) - { + public Document getErrorResponse(String responseURL, String status, String identityURL, boolean supportSignature) + { Document samlResponse = null; - ResponseType responseType = null; + ResponseType responseType = null; SAML2Response saml2Response = new SAML2Response(); //Create a response type String id = IDGenerator.create("ID_"); - IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL); + IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL); issuerHolder.setStatusCode(status); IDPInfoHolder idp = new IDPInfoHolder(); @@ -527,17 +348,19 @@ } catch (ConfigurationException e1) { - if(trace) log.trace(e1); + if (trace) + log.trace(e1); responseType = saml2Response.createResponseType(); } catch (ProcessingException e) { - if(trace) log.trace( e ); + if (trace) + log.trace(e); responseType = saml2Response.createResponseType(); - } + } //Lets see how the response looks like - if(log.isTraceEnabled()) + if (log.isTraceEnabled()) { log.trace("Error_ResponseType = "); StringWriter sw = new StringWriter(); @@ -545,24 +368,25 @@ { saml2Response.marshall(responseType, sw); } - catch ( ProcessingException e) + catch (ProcessingException e) { log.trace(e); - } - log.trace("Response="+sw.toString()); + } + log.trace("Response=" + sw.toString()); } - if(supportSignature) - { + if (supportSignature) + { try - { - SAML2Signature ss = new SAML2Signature(); + { + SAML2Signature ss = new SAML2Signature(); samlResponse = ss.sign(responseType, keyManager.getSigningKeyPair()); } catch (Exception e) { - if(trace) log.trace(e); - } + if (trace) + log.trace(e); + } } else try @@ -571,106 +395,129 @@ } catch (Exception e) { - if(trace) log.trace(e); - } - - return samlResponse; + if (trace) + log.trace(e); + } + + return samlResponse; } - + /** * Given a SP or IDP issuer from the assertion, return the host * @param domainURL * @return * @throws IOException */ - private static String getDomain(String domainURL) throws IOException + private static String getDomain(String domainURL) throws IOException { URL url = new URL(domainURL); return url.getHost(); } - + public class WebRequestUtilHolder - { + { private Document responseDoc; + private String relayState; + private String destination; + private HttpServletResponse servletResponse; + private PrivateKey privateKey; + private boolean supportSignature; + private boolean postBindingRequested; + private boolean areWeSendingRequest; + public Document getResponseDoc() { return responseDoc; } - + public WebRequestUtilHolder setResponseDoc(Document responseDoc) { this.responseDoc = responseDoc; return this; } + public String getRelayState() { return relayState; } + public WebRequestUtilHolder setRelayState(String relayState) { this.relayState = relayState; return this; } + public String getDestination() { return destination; } + public WebRequestUtilHolder setDestination(String destination) { this.destination = destination; return this; } + public HttpServletResponse getServletResponse() { return servletResponse; } + public WebRequestUtilHolder setServletResponse(HttpServletResponse servletResponse) { this.servletResponse = servletResponse; return this; } + public PrivateKey getPrivateKey() { return privateKey; } + public WebRequestUtilHolder setPrivateKey(PrivateKey privateKey) { this.privateKey = privateKey; return this; } + public boolean isSupportSignature() { return supportSignature; } + public WebRequestUtilHolder setSupportSignature(boolean supportSignature) { this.supportSignature = supportSignature; return this; } + public boolean isPostBindingRequested() { return postBindingRequested; } + public WebRequestUtilHolder setPostBindingRequested(boolean postBindingRequested) { this.postBindingRequested = postBindingRequested; return this; } + public boolean isAreWeSendingRequest() { return areWeSendingRequest; } + public WebRequestUtilHolder setAreWeSendingRequest(boolean areWeSendingRequest) { this.areWeSendingRequest = areWeSendingRequest; return this; - } + } } } \ No newline at end of file

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r811 - in federation/trunk/picketlink-fed-core/src: test/java/org/picketlink/test/identity/federation/core/parser and 1 other directory.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 12:39:35 -0400 (Tue, 15 Mar 2011) New Revision: 811 Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/parser/SystemPropertyAsStringUnitTestCase.java Log: PLFED-138: handle null param with RTE Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java 2011-03-15 16:32:05 UTC (rev 810) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/StringUtil.java 2011-03-15 16:39:35 UTC (rev 811) @@ -77,6 +77,8 @@ */ public static String getSystemPropertyAsString(String str) { + if (str == null) + throw new IllegalArgumentException("str is null"); if (str.contains("${")) { Pattern pattern = Pattern.compile("\\$\\{([^}]+)}"); Modified: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/parser/SystemPropertyAsStringUnitTestCase.java =================================================================== --- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/parser/SystemPropertyAsStringUnitTestCase.java 2011-03-15 16:32:05 UTC (rev 810) +++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/parser/SystemPropertyAsStringUnitTestCase.java 2011-03-15 16:39:35 UTC (rev 811) @@ -22,6 +22,7 @@ package org.picketlink.test.identity.federation.core.parser; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; import org.junit.Before; import org.junit.Test; @@ -45,6 +46,19 @@ @Test public void testSystemProperty() throws Exception { + try + { + assertEquals(null, StringUtil.getSystemPropertyAsString(null)); + fail("should not have passed"); + } + catch (IllegalArgumentException iae) + { + + } + catch (Exception e) + { + fail("unknown ex"); + } assertEquals("test", StringUtil.getSystemPropertyAsString("test")); assertEquals("test/test", StringUtil.getSystemPropertyAsString("test/test"));

13 years, 9 months

1
0
0 / 0

Picketlink SVN: r810 - in federation/trunk: picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/constants and 3 other directories.

by picketlink-commits＠lists.jboss.org

Author: anil.saldhana(a)jboss.com Date: 2011-03-15 12:32:05 -0400 (Tue, 15 Mar 2011) New Revision: 810 Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/constants/X500SAMLProfileConstants.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/X500AttributeUnitTestCase.java federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java Log: fix the x500 attribute handling Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java 2011-03-15 15:51:49 UTC (rev 809) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/constants/AttributeConstants.java 2011-03-15 16:32:05 UTC (rev 810) @@ -28,18 +28,5 @@ */ public interface AttributeConstants { - String COUNTRY = "country"; - String EMAIL_ADDRESS = "email"; - String EMPLOYEE_TYPE = "employeeType"; - String EMPLOYEE_NUMBER = "employeeNumber"; - String GIVEN_NAME = "givenName"; - String PREFERRED_LANGUAGE = "preferredLanguage"; - String PO_BOX = "postOfficeBox"; - String POSTAL_CODE = "postalCode"; - String POSTAL_ADDRESS ="postalAddress"; - String SURNAME = "surname"; - String STREET = "street"; - String TITLE = "title"; - String TELEPHONE = "telephoneNumber"; String ROLES = "roles"; } \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/constants/X500SAMLProfileConstants.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/constants/X500SAMLProfileConstants.java 2011-03-15 15:51:49 UTC (rev 809) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/constants/X500SAMLProfileConstants.java 2011-03-15 16:32:05 UTC (rev 810) @@ -21,6 +21,10 @@ */ package org.picketlink.identity.federation.core.saml.v2.constants; +import java.util.EnumSet; +import java.util.HashMap; +import java.util.Map; + /** * X500 SAML Profile Constants * Adapted from http://code.google.com/p/simplesamlphp/source/browse/trunk/attributemap/n... @@ -190,13 +194,21 @@ X121_ADDRESS("x121Address" , "urn:oid:2.5.4.24"), X500_UNIQUE_IDENTIFIER("x500UniqueIdentifier" , "urn:oid:2.5.4.45"); - private final String friendlyName = null; + private String friendlyName = null; private String uri = null; + private static final Map<String,String> lookup = new HashMap<String,String>(); + + static { + for(X500SAMLProfileConstants s : EnumSet.allOf(X500SAMLProfileConstants.class)) + lookup.put(s.friendlyName, s.uri); + } + private X500SAMLProfileConstants(String friendlyName, String uristr) { - this.uri = uristr; + this.uri = uristr; + this.friendlyName = friendlyName; } public String get() @@ -208,4 +220,9 @@ { return friendlyName; } + + public static String getOID( final String key) + { + return lookup.get(key); + } } \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java 2011-03-15 15:51:49 UTC (rev 809) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java 2011-03-15 16:32:05 UTC (rev 810) @@ -33,6 +33,7 @@ import org.picketlink.identity.federation.core.constants.AttributeConstants; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants; +import org.picketlink.identity.federation.core.util.StringUtil; import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType; import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType; import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType; @@ -116,27 +117,12 @@ AttributeType att; Object value = attributes.get(key); - if (AttributeConstants.EMAIL_ADDRESS.equals(key)) + String uri = X500SAMLProfileConstants.getOID(key); + if (StringUtil.isNotNull(uri)) { - att = getX500Attribute(X500SAMLProfileConstants.EMAIL_ADDRESS.get()); - att.setFriendlyName(X500SAMLProfileConstants.EMAIL_ADDRESS.getFriendlyName()); + att = getX500Attribute(uri); + att.setFriendlyName(key); } - else if (AttributeConstants.EMPLOYEE_NUMBER.equals(key)) - { - att = getX500Attribute(X500SAMLProfileConstants.EMPLOYEE_NUMBER.get()); - att.setFriendlyName(X500SAMLProfileConstants.EMPLOYEE_NUMBER.getFriendlyName()); - } - else if (AttributeConstants.GIVEN_NAME.equals(key)) - { - att = getX500Attribute(X500SAMLProfileConstants.GIVEN_NAME.get()); - att.setFriendlyName(X500SAMLProfileConstants.GIVEN_NAME.getFriendlyName()); - } - else if (AttributeConstants.TELEPHONE.equals(key)) - { - att = getX500Attribute(X500SAMLProfileConstants.TELEPHONE_NUMBER.get()); - att.setFriendlyName(X500SAMLProfileConstants.TELEPHONE_NUMBER.getFriendlyName()); - att.setName(X500SAMLProfileConstants.TELEPHONE_NUMBER.get()); - } else throw new RuntimeException("Unknown:" + key); Modified: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/X500AttributeUnitTestCase.java =================================================================== --- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/X500AttributeUnitTestCase.java 2011-03-15 15:51:49 UTC (rev 809) +++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/saml/v2/X500AttributeUnitTestCase.java 2011-03-15 16:32:05 UTC (rev 810) @@ -27,9 +27,9 @@ import junit.framework.TestCase; -import org.picketlink.identity.federation.core.constants.AttributeConstants; import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; +import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants; import org.picketlink.identity.federation.core.saml.v2.factories.JBossSAMLAuthnResponseFactory; import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder; import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder; @@ -55,53 +55,50 @@ { public void testX500Marshalling() throws Exception { - Map<String,Object> attributes = new HashMap<String, Object>(); - attributes.put(AttributeConstants.EMAIL_ADDRESS, "test@a"); - attributes.put(AttributeConstants.GIVEN_NAME, "anil"); - + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(X500SAMLProfileConstants.EMAIL_ADDRESS.getFriendlyName(), "test@a"); + attributes.put(X500SAMLProfileConstants.GIVEN_NAME.getFriendlyName(), "anil"); + AttributeStatementType attrStat = StatementUtil.createAttributeStatement(attributes); - + IssuerInfoHolder issuerHolder = new IssuerInfoHolder("http://idp"); issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get()); - + IDPInfoHolder idp = new IDPInfoHolder(); idp.setNameIDFormatValue(IDGenerator.create()); - - ResponseType rt = JBossSAMLAuthnResponseFactory.createResponseType("response111", - new SPInfoHolder(), idp, issuerHolder); + + ResponseType rt = JBossSAMLAuthnResponseFactory.createResponseType("response111", new SPInfoHolder(), idp, + issuerHolder); assertNotNull(rt); - - AssertionType assertion = (AssertionType) rt.getAssertions().get(0).getAssertion(); - assertion.addStatement( attrStat ); - + + AssertionType assertion = rt.getAssertions().get(0).getAssertion(); + assertion.addStatement(attrStat); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); - - SAMLResponseWriter writer = new SAMLResponseWriter( StaxUtil.getXMLStreamWriter(baos) ); + + SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(baos)); writer.write(rt); - + /*Marshaller marshaller = JBossSAMLAuthnResponseFactory.getValidatingMarshaller(false); JAXBElement<ResponseType> jaxb = SAMLProtocolFactory.getObjectFactory().createResponse(rt); marshaller.marshal(jaxb, baos); *///marshaller.marshal(jaxb, System.out); - + Document samlDom = DocumentUtil.getDocument(new String(baos.toByteArray())); - System.out.println( DocumentUtil.getDocumentAsString(samlDom)); - - NodeList nl = samlDom.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get() ,"Attribute"); + System.out.println(DocumentUtil.getDocumentAsString(samlDom)); + + NodeList nl = samlDom.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Attribute"); assertEquals("nodes = 2", 2, nl.getLength()); - + String x500NS = JBossSAMLURIConstants.X500_NSURI.get(); String encodingLocalName = "Encoding"; - + Element attrib = (Element) nl.item(0); - assertTrue("Has ldap encoding?", attrib.hasAttributeNS( x500NS, encodingLocalName)); - assertEquals("LDAP", - attrib.getAttributeNodeNS(x500NS, encodingLocalName).getNodeValue()); - - NodeList nla = - attrib.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), - "AttributeValue"); - + assertTrue("Has ldap encoding?", attrib.hasAttributeNS(x500NS, encodingLocalName)); + assertEquals("LDAP", attrib.getAttributeNodeNS(x500NS, encodingLocalName).getNodeValue()); + + NodeList nla = attrib.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "AttributeValue"); + Node attribNode = nla.item(0); String nodeValue = attribNode.getTextContent(); assertTrue(nodeValue.equals("test@a") || nodeValue.equals("anil")); Modified: federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java =================================================================== --- federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java 2011-03-15 15:51:49 UTC (rev 809) +++ federation/trunk/picketlink-web/src/test/java/org/picketlink/test/identity/federation/web/saml/handlers/SAML2AttributeHandlerUnitTestCase.java 2011-03-15 16:32:05 UTC (rev 810) @@ -29,9 +29,9 @@ import junit.framework.TestCase; import org.picketlink.identity.federation.core.config.IDPType; -import org.picketlink.identity.federation.core.constants.AttributeConstants; import org.picketlink.identity.federation.core.interfaces.AttributeManager; import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder; +import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants; import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder; import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerChainConfig; import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerConfig; @@ -59,66 +59,69 @@ public class SAML2AttributeHandlerUnitTestCase extends TestCase { private static String name = "anil"; + private static String email = "anil@test"; - + @SuppressWarnings("unchecked") public void testAttributes() throws Exception { SAML2AttributeHandler handler = new SAML2AttributeHandler(); - + SAML2HandlerChainConfig chainConfig = new DefaultSAML2HandlerChainConfig(); SAML2HandlerConfig handlerConfig = new DefaultSAML2HandlerConfig(); - - Map<String,Object> chainOptions = new HashMap<String, Object>(); + + Map<String, Object> chainOptions = new HashMap<String, Object>(); IDPType idpType = new IDPType(); idpType.setAttributeManager(TestAttributeManager.class.getName()); chainOptions.put(GeneralConstants.CONFIGURATION, idpType); chainConfig.set(chainOptions); - - + //Initialize the handler handler.initChainConfig(chainConfig); handler.initHandlerConfig(handlerConfig); - + //Create a Protocol Context MockHttpSession session = new MockHttpSession(); MockServletContext servletContext = new MockServletContext(); MockHttpServletRequest servletRequest = new MockHttpServletRequest(session, "POST"); MockHttpServletResponse servletResponse = new MockHttpServletResponse(); HTTPContext httpContext = new HTTPContext(servletRequest, servletResponse, servletContext); - - SAML2Object saml2Object = new SAML2Object(){}; - + + SAML2Object saml2Object = new SAML2Object() + { + }; + SAMLDocumentHolder docHolder = new SAMLDocumentHolder(saml2Object, null); IssuerInfoHolder issuerInfo = new IssuerInfoHolder("http://localhost:8080/idp/"); - SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, - issuerInfo.getIssuer(), docHolder, SAML2Handler.HANDLER_TYPE.IDP); + SAML2HandlerRequest request = new DefaultSAML2HandlerRequest(httpContext, issuerInfo.getIssuer(), docHolder, + SAML2Handler.HANDLER_TYPE.IDP); SAML2HandlerResponse response = new DefaultSAML2HandlerResponse(); - + session.setAttribute(GeneralConstants.PRINCIPAL_ID, new Principal() { public String getName() { return name; - }}); - handler.handleRequestType(request, response); - + } + }); + handler.handleRequestType(request, response); + Map<String, Object> attribs = (Map<String, Object>) session.getAttribute(GeneralConstants.ATTRIBUTES); assertNotNull("Attributes are not null", attribs); - assertEquals(email,attribs.get(AttributeConstants.EMAIL_ADDRESS)); + assertEquals(email, attribs.get(X500SAMLProfileConstants.EMAIL.getFriendlyName())); } - + public static class TestAttributeManager implements AttributeManager - { + { public Map<String, Object> getAttributes(Principal userPrincipal, List<String> attributeKeys) { - Map<String,Object> attribs = new HashMap<String, Object>(); - - if(name.equals(userPrincipal.getName())) + Map<String, Object> attribs = new HashMap<String, Object>(); + + if (name.equals(userPrincipal.getName())) { - attribs.put(AttributeConstants.EMAIL_ADDRESS, email); + attribs.put(X500SAMLProfileConstants.EMAIL.getFriendlyName(), email); } return attribs; - } + } } } \ No newline at end of file

13 years, 9 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

picketlink-commits March 2011