Picketlink SVN: r1148 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation: web/handlers/saml2 and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 18:27:26 -0400 (Thu, 28 Jul 2011)
New Revision: 1148
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
merge r1147
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces:1144-1147
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:24:59 UTC (rev 1147)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:27:26 UTC (rev 1148)
@@ -20,7 +20,6 @@
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.picketlink.identity.federation.core.saml.v2.interfaces;
-
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
@@ -31,36 +30,38 @@
* @since Sep 17, 2009
*/
public interface SAML2Handler
-{
+{
//Define some constants
+ String ASSERTION_CONSUMER_URL = "ASSERTION_CONSUMER_URL";
+
String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT";
- String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
+
+ String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
+
String DISABLE_ROLE_PICKING = "DISABLE_ROLE_PICKING";
+
String ROLE_KEY = "ROLE_KEY";
-
+
/**
* Processing Point - idp side
* or service side
*/
- public enum HANDLER_TYPE
- {
- IDP,SP;
+ public enum HANDLER_TYPE {
+ IDP, SP;
};
-
+
/**
* Initialize the handler
* @param handlerConfig Handler Config
*/
- void initChainConfig(SAML2HandlerChainConfig handlerChainConfig)
- throws ConfigurationException;
-
+ void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException;
+
/**
* Initialize the handler from configuration
* @param options
*/
- void initHandlerConfig(SAML2HandlerConfig handlerConfig)
- throws ConfigurationException;
-
+ void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException;
+
/**
* Generate a SAML Request to be sent to the IDP
* if the handler is invoked at the SP and vice-versa
@@ -68,9 +69,7 @@
* @param response
* @throws ProcessingException
*/
- void generateSAMLRequest(SAML2HandlerRequest request,
- SAML2HandlerResponse response) throws ProcessingException;
-
+ void generateSAMLRequest(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException;
/**
* Get the type of handler
@@ -78,25 +77,23 @@
* @return
*/
HANDLER_TYPE getType();
-
+
/**
* Handle a SAML2 RequestAbstractType
* @param requestAbstractType
* @param resultingDocument
* @return
*/
- void handleRequestType(SAML2HandlerRequest request,
- SAML2HandlerResponse response) throws ProcessingException;
-
+ void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException;
+
/**
* Handle a SAML2 Status Response Type
* @param statusResponseType
* @param resultingDocument
* @return
*/
- void handleStatusResponseType(SAML2HandlerRequest request,
- SAML2HandlerResponse response) throws ProcessingException;
-
+ void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException;
+
/**
* Shed all state
* @throws ProcessingException
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1145
+ /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1147
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:24:59 UTC (rev 1147)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:27:26 UTC (rev 1148)
@@ -91,6 +91,7 @@
* @see SAML2Handler#DISABLE_ROLE_PICKING Setting to true will disable picking IDP attribute statements (SP Setting)
* @see SAML2Handler#ROLE_KEY a csv list of strings that represent the roles coming from IDP (SP Setting)
* @see GeneralConstants#NAMEID_FORMAT Setting to a value will provide the nameid format to be sent to IDP (SP Setting)
+ * @see SAML2Handler#ASSERTION_CONSUMER_URL: the url to be used for assertionConsumerURL
* </p>
*
* @author Anil.Saldhana(a)redhat.com
@@ -333,6 +334,12 @@
SAML2Request samlRequest = new SAML2Request();
String id = IDGenerator.create("ID_");
+ String assertionConsumerURL = (String) handlerConfig.getParameter(SAML2Handler.ASSERTION_CONSUMER_URL);
+ if (StringUtil.isNullOrEmpty(assertionConsumerURL))
+ {
+ assertionConsumerURL = issuerValue;
+ }
+
//Check if there is a nameid policy
String nameIDFormat = (String) handlerConfig.getParameter(GeneralConstants.NAMEID_FORMAT);
if (StringUtil.isNotNull(nameIDFormat))
@@ -341,8 +348,8 @@
}
try
{
- AuthnRequestType authn = samlRequest.createAuthnRequestType(id, issuerValue, response.getDestination(),
- issuerValue);
+ AuthnRequestType authn = samlRequest.createAuthnRequestType(id, assertionConsumerURL,
+ response.getDestination(), issuerValue);
response.setResultingDocument(samlRequest.convert(authn));
response.setSendRequest(true);
13 years, 4 months
Picketlink SVN: r1147 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2 and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 18:24:59 -0400 (Thu, 28 Jul 2011)
New Revision: 1147
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-149: option for assertionConsumerURL
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:13:46 UTC (rev 1146)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-07-28 22:24:59 UTC (rev 1147)
@@ -20,7 +20,6 @@
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.picketlink.identity.federation.core.saml.v2.interfaces;
-
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
@@ -31,36 +30,38 @@
* @since Sep 17, 2009
*/
public interface SAML2Handler
-{
+{
//Define some constants
+ String ASSERTION_CONSUMER_URL = "ASSERTION_CONSUMER_URL";
+
String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT";
- String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
+
+ String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
+
String DISABLE_ROLE_PICKING = "DISABLE_ROLE_PICKING";
+
String ROLE_KEY = "ROLE_KEY";
-
+
/**
* Processing Point - idp side
* or service side
*/
- public enum HANDLER_TYPE
- {
- IDP,SP;
+ public enum HANDLER_TYPE {
+ IDP, SP;
};
-
+
/**
* Initialize the handler
* @param handlerConfig Handler Config
*/
- void initChainConfig(SAML2HandlerChainConfig handlerChainConfig)
- throws ConfigurationException;
-
+ void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException;
+
/**
* Initialize the handler from configuration
* @param options
*/
- void initHandlerConfig(SAML2HandlerConfig handlerConfig)
- throws ConfigurationException;
-
+ void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException;
+
/**
* Generate a SAML Request to be sent to the IDP
* if the handler is invoked at the SP and vice-versa
@@ -68,9 +69,7 @@
* @param response
* @throws ProcessingException
*/
- void generateSAMLRequest(SAML2HandlerRequest request,
- SAML2HandlerResponse response) throws ProcessingException;
-
+ void generateSAMLRequest(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException;
/**
* Get the type of handler
@@ -78,25 +77,23 @@
* @return
*/
HANDLER_TYPE getType();
-
+
/**
* Handle a SAML2 RequestAbstractType
* @param requestAbstractType
* @param resultingDocument
* @return
*/
- void handleRequestType(SAML2HandlerRequest request,
- SAML2HandlerResponse response) throws ProcessingException;
-
+ void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException;
+
/**
* Handle a SAML2 Status Response Type
* @param statusResponseType
* @param resultingDocument
* @return
*/
- void handleStatusResponseType(SAML2HandlerRequest request,
- SAML2HandlerResponse response) throws ProcessingException;
-
+ void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException;
+
/**
* Shed all state
* @throws ProcessingException
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:13:46 UTC (rev 1146)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 22:24:59 UTC (rev 1147)
@@ -91,6 +91,7 @@
* @see SAML2Handler#DISABLE_ROLE_PICKING Setting to true will disable picking IDP attribute statements (SP Setting)
* @see SAML2Handler#ROLE_KEY a csv list of strings that represent the roles coming from IDP (SP Setting)
* @see GeneralConstants#NAMEID_FORMAT Setting to a value will provide the nameid format to be sent to IDP (SP Setting)
+ * @see SAML2Handler#ASSERTION_CONSUMER_URL: the url to be used for assertionConsumerURL
* </p>
*
* @author Anil.Saldhana(a)redhat.com
@@ -339,6 +340,12 @@
SAML2Request samlRequest = new SAML2Request();
String id = IDGenerator.create("ID_");
+ String assertionConsumerURL = (String) handlerConfig.getParameter(SAML2Handler.ASSERTION_CONSUMER_URL);
+ if (StringUtil.isNullOrEmpty(assertionConsumerURL))
+ {
+ assertionConsumerURL = issuerValue;
+ }
+
//Check if there is a nameid policy
String nameIDFormat = (String) handlerConfig.getParameter(GeneralConstants.NAMEID_FORMAT);
if (StringUtil.isNotNull(nameIDFormat))
@@ -347,8 +354,8 @@
}
try
{
- AuthnRequestType authn = samlRequest.createAuthnRequestType(id, issuerValue, response.getDestination(),
- issuerValue);
+ AuthnRequestType authn = samlRequest.createAuthnRequestType(id, assertionConsumerURL,
+ response.getDestination(), issuerValue);
response.setResultingDocument(samlRequest.convert(authn));
response.setSendRequest(true);
13 years, 4 months
Picketlink SVN: r1146 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation: web/handlers/saml2 and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 18:13:46 -0400 (Thu, 28 Jul 2011)
New Revision: 1146
Added:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java
Log:
merge r1145
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions:1144-1145
Copied: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (from rev 1145, federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java)
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (rev 0)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java 2011-07-28 22:13:46 UTC (rev 1146)
@@ -0,0 +1,53 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.identity.federation.core.saml.v2.exceptions;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates the failure of signature validation
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Jul 28, 2011
+ */
+public class SignatureValidationException extends GeneralSecurityException
+{
+ private static final long serialVersionUID = 1L;
+
+ public SignatureValidationException()
+ {
+ }
+
+ public SignatureValidationException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+
+ public SignatureValidationException(String msg)
+ {
+ super(msg);
+ }
+
+ public SignatureValidationException(Throwable cause)
+ {
+ super(cause);
+ }
+}
\ No newline at end of file
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1145
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:09:51 UTC (rev 1145)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:13:46 UTC (rev 1146)
@@ -26,6 +26,7 @@
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.saml.v2.exceptions.SignatureValidationException;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerErrorCodes;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
@@ -41,61 +42,62 @@
*/
public class SAML2SignatureValidationHandler extends BaseSAML2Handler
{
- private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class);
- private boolean trace = log.isTraceEnabled();
-
+ private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class);
+
+ private final boolean trace = log.isTraceEnabled();
+
/**
* @see {@code SAML2Handler#handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse)}
*/
public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException
{
- Map<String,Object> requestOptions = request.getOptions();
- Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
- if(ignoreSignatures == Boolean.TRUE)
+ Map<String, Object> requestOptions = request.getOptions();
+ Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
+ if (ignoreSignatures == Boolean.TRUE)
return;
-
+
Document signedDocument = request.getRequestDocument();
-
- if(trace)
+
+ if (trace)
{
- log.trace("Will validate :" + DocumentUtil.asString(signedDocument));
+ log.trace("Will validate :" + DocumentUtil.asString(signedDocument));
}
PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
try
{
- boolean isValid = this.validateSender(signedDocument, publicKey);
- if(!isValid)
- throw new ProcessingException();
+ boolean isValid = this.validateSender(signedDocument, publicKey);
+ if (!isValid)
+ throw constructSignatureException();
}
- catch(ProcessingException pe)
+ catch (ProcessingException pe)
{
- response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID,
- "Signature Validation Failed");
- throw pe;
+ response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, "Signature Validation Failed");
+ throw pe;
}
}
@Override
public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response)
throws ProcessingException
- {
- Map<String,Object> requestOptions = request.getOptions();
- Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
- if(ignoreSignatures == Boolean.TRUE)
+ {
+ Map<String, Object> requestOptions = request.getOptions();
+ Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
+ if (ignoreSignatures == Boolean.TRUE)
return;
-
+
Document signedDocument = request.getRequestDocument();
- if(trace)
+ if (trace)
{
- log.trace("Document for validation=" + DocumentUtil.asString(signedDocument));
+ log.trace("Document for validation=" + DocumentUtil.asString(signedDocument));
}
-
+
PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
- this.validateSender(signedDocument, publicKey);
+ boolean isValid = this.validateSender(signedDocument, publicKey);
+ if (!isValid)
+ throw constructSignatureException();
}
-
- private boolean validateSender(Document signedDocument, PublicKey publicKey)
- throws ProcessingException
+
+ private boolean validateSender(Document signedDocument, PublicKey publicKey) throws ProcessingException
{
try
{
@@ -103,8 +105,14 @@
}
catch (Exception e)
{
- log.error("Error validating signature:" , e);
+ log.error("Error validating signature:", e);
throw new ProcessingException("Error validating signature.");
- }
- }
+ }
+ }
+
+ private ProcessingException constructSignatureException()
+ {
+ SignatureValidationException sv = new SignatureValidationException("Signature Validation Failed");
+ return new ProcessingException(sv);
+ }
}
\ No newline at end of file
13 years, 4 months
Picketlink SVN: r1145 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2 and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 18:09:51 -0400 (Thu, 28 Jul 2011)
New Revision: 1145
Added:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java
Log:
PLFED-8: throw ex if sig validation fails
Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java (rev 0)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/exceptions/SignatureValidationException.java 2011-07-28 22:09:51 UTC (rev 1145)
@@ -0,0 +1,53 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.identity.federation.core.saml.v2.exceptions;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates the failure of signature validation
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Jul 28, 2011
+ */
+public class SignatureValidationException extends GeneralSecurityException
+{
+ private static final long serialVersionUID = 1L;
+
+ public SignatureValidationException()
+ {
+ }
+
+ public SignatureValidationException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+
+ public SignatureValidationException(String msg)
+ {
+ super(msg);
+ }
+
+ public SignatureValidationException(Throwable cause)
+ {
+ super(cause);
+ }
+}
\ No newline at end of file
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 21:41:04 UTC (rev 1144)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2011-07-28 22:09:51 UTC (rev 1145)
@@ -26,6 +26,7 @@
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.saml.v2.exceptions.SignatureValidationException;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerErrorCodes;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
@@ -41,61 +42,62 @@
*/
public class SAML2SignatureValidationHandler extends BaseSAML2Handler
{
- private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class);
- private boolean trace = log.isTraceEnabled();
-
+ private static Logger log = Logger.getLogger(SAML2SignatureValidationHandler.class);
+
+ private final boolean trace = log.isTraceEnabled();
+
/**
* @see {@code SAML2Handler#handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse)}
*/
public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException
{
- Map<String,Object> requestOptions = request.getOptions();
- Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
- if(ignoreSignatures == Boolean.TRUE)
+ Map<String, Object> requestOptions = request.getOptions();
+ Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
+ if (ignoreSignatures == Boolean.TRUE)
return;
-
+
Document signedDocument = request.getRequestDocument();
-
- if(trace)
+
+ if (trace)
{
- log.trace("Will validate :" + DocumentUtil.asString(signedDocument));
+ log.trace("Will validate :" + DocumentUtil.asString(signedDocument));
}
PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
try
{
- boolean isValid = this.validateSender(signedDocument, publicKey);
- if(!isValid)
- throw new ProcessingException();
+ boolean isValid = this.validateSender(signedDocument, publicKey);
+ if (!isValid)
+ throw constructSignatureException();
}
- catch(ProcessingException pe)
+ catch (ProcessingException pe)
{
- response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID,
- "Signature Validation Failed");
- throw pe;
+ response.setError(SAML2HandlerErrorCodes.SIGNATURE_INVALID, "Signature Validation Failed");
+ throw pe;
}
}
@Override
public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response)
throws ProcessingException
- {
- Map<String,Object> requestOptions = request.getOptions();
- Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
- if(ignoreSignatures == Boolean.TRUE)
+ {
+ Map<String, Object> requestOptions = request.getOptions();
+ Boolean ignoreSignatures = (Boolean) requestOptions.get(GeneralConstants.IGNORE_SIGNATURES);
+ if (ignoreSignatures == Boolean.TRUE)
return;
-
+
Document signedDocument = request.getRequestDocument();
- if(trace)
+ if (trace)
{
- log.trace("Document for validation=" + DocumentUtil.asString(signedDocument));
+ log.trace("Document for validation=" + DocumentUtil.asString(signedDocument));
}
-
+
PublicKey publicKey = (PublicKey) request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
- this.validateSender(signedDocument, publicKey);
+ boolean isValid = this.validateSender(signedDocument, publicKey);
+ if (!isValid)
+ throw constructSignatureException();
}
-
- private boolean validateSender(Document signedDocument, PublicKey publicKey)
- throws ProcessingException
+
+ private boolean validateSender(Document signedDocument, PublicKey publicKey) throws ProcessingException
{
try
{
@@ -103,8 +105,14 @@
}
catch (Exception e)
{
- log.error("Error validating signature:" , e);
+ log.error("Error validating signature:", e);
throw new ProcessingException("Error validating signature.");
- }
- }
+ }
+ }
+
+ private ProcessingException constructSignatureException()
+ {
+ SignatureValidationException sv = new SignatureValidationException("Signature Validation Failed");
+ return new ProcessingException(sv);
+ }
}
\ No newline at end of file
13 years, 4 months
Picketlink SVN: r1144 - product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 17:41:04 -0400 (Thu, 28 Jul 2011)
New Revision: 1144
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
Log:
merge r1143
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1141
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1143
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 21:41:04 UTC (rev 1144)
@@ -37,6 +37,7 @@
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.crypto.dsig.CanonicalizationMethod;
@@ -46,6 +47,7 @@
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.LoginConfig;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.metadata.MetaDataExtractor;
import org.picketlink.identity.federation.core.config.SPType;
@@ -253,54 +255,42 @@
}
}
- //Mock test purpose
- public void testStart() throws LifecycleException
+ /**
+ * Fall back on local authentication at the service provider side
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean localAuthentication(Request request, Response response, LoginConfig loginConfig)
+ throws IOException
{
- this.saveRestoreRequest = false;
- if (context == null)
- throw new RuntimeException("Catalina Context not set up");
- processStart();
- }
-
- private void processStart() throws LifecycleException
- {
- Handlers handlers = null;
-
- //Get the chain from config
- if (StringUtil.isNullOrEmpty(samlHandlerChainClass))
+ if (request.getUserPrincipal() == null)
{
- chain = SAML2HandlerChainFactory.createChain();
- }
- else
- {
+ log.error("Falling back on local Form Authentication if available");//fallback
try
{
- chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
+ return super.authenticate(request, response, loginConfig);
}
- catch (ProcessingException e1)
+ catch (NoSuchMethodError e)
{
- throw new LifecycleException(e1);
+ //Use Reflection
+ try
+ {
+ Method method = super.getClass().getMethod("authenticate", new Class[]
+ {HttpServletRequest.class, HttpServletResponse.class, LoginConfig.class});
+ return (Boolean) method.invoke(this, new Object[]
+ {request.getRequest(), response.getResponse(), loginConfig});
+ }
+ catch (Exception ex)
+ {
+ throw new IOException("Unable to fallback on local auth", ex);
+ }
}
}
-
- ServletContext servletContext = context.getServletContext();
-
- this.processConfiguration();
-
- try
- {
- //Get the handlers
- String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
- handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName));
- chain.addAll(HandlerUtil.getHandlers(handlers));
-
- this.populateChainConfig();
- this.initializeHandlerChain();
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
+ else
+ return true;
}
/**
@@ -481,6 +471,56 @@
}
}
+ //Mock test purpose
+ public void testStart() throws LifecycleException
+ {
+ this.saveRestoreRequest = false;
+ if (context == null)
+ throw new RuntimeException("Catalina Context not set up");
+ processStart();
+ }
+
+ private void processStart() throws LifecycleException
+ {
+ Handlers handlers = null;
+
+ //Get the chain from config
+ if (StringUtil.isNullOrEmpty(samlHandlerChainClass))
+ {
+ chain = SAML2HandlerChainFactory.createChain();
+ }
+ else
+ {
+ try
+ {
+ chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
+ }
+ catch (ProcessingException e1)
+ {
+ throw new LifecycleException(e1);
+ }
+ }
+
+ ServletContext servletContext = context.getServletContext();
+
+ this.processConfiguration();
+
+ try
+ {
+ //Get the handlers
+ String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
+ handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName));
+ chain.addAll(HandlerUtil.getHandlers(handlers));
+
+ this.populateChainConfig();
+ this.initializeHandlerChain();
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+
private Class<?> getAuthenticatorBaseClass()
{
Class<?> myClass = getClass();
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 21:41:04 UTC (rev 1144)
@@ -46,6 +46,7 @@
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
@@ -118,8 +119,6 @@
{
Session session = request.getSessionInternal(true);
- SPUtil spUtil = new SPUtil();
-
//Eagerly look for Local LogOut
String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr);
@@ -150,189 +149,256 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
+ //General User Request
+ if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ {
+ return generalUserRequest(request, response, loginConfig);
+ }
+
+ //Handle a SAML Response from IDP
+ if (isNotNull(samlResponse))
+ {
+ return handleSAMLResponse(request, response, loginConfig);
+ }
+
+ //Handle SAML Requests from IDP
+ if (isNotNull(samlRequest))
+ {
+ return handleSAMLRequest(request, response, loginConfig);
+ }//end if
+
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle the IDP Request
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+ Set<SAML2Handler> handlers = chain.handlers();
+
+ try
+ {
+ ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true,
+ this.serviceURL);
+ requestProcessor.setTrustKeyManager(keyManager);
+ requestProcessor.setSupportSignatures(supportSignatures);
+ boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
+
+ if (result)
+ return result;
+ }
+ catch (Exception e)
+ {
+ if (trace)
+ log.trace("Server Exception:", e);
+ throw new IOException("Server Exception");
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle IDP Response
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ SPUtil spUtil = new SPUtil();
+ boolean isValid = false;
+ Session session = request.getSessionInternal(true);
+ String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
+
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
-
boolean willSendRequest = false;
HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
Set<SAML2Handler> handlers = chain.handlers();
- //General User Request
- if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ Principal principal = request.getUserPrincipal();
+ try
{
- //Neither saml request nor response from IDP
- //So this is a user request
- SAML2HandlerResponse saml2HandlerResponse = null;
- try
- {
- ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL);
- if (issuerID != null)
- baseProcessor.setIssuer(issuerID);
+ isValid = this.validate(request);
+ }
+ catch (Exception e)
+ {
+ log.error("Exception:", e);
+ throw new IOException();
+ }
+ if (!isValid)
+ throw new IOException("Validity check failed");
- baseProcessor.setIdentityURL(identityURL);
+ //deal with SAML response from IDP
+ try
+ {
+ ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true,
+ serviceURL);
+ responseProcessor.setValidateSignature(validateSignature);
+ responseProcessor.setTrustKeyManager(keyManager);
- saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
- }
- catch (ProcessingException pe)
- {
- log.error("Processing Exception:", pe);
- throw new RuntimeException(pe);
- }
- catch (ParsingException pe)
- {
- log.error("Parsing Exception:", pe);
- throw new RuntimeException(pe);
- }
- catch (ConfigurationException pe)
- {
- log.error("Config Exception:", pe);
- throw new RuntimeException(pe);
- }
+ SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers,
+ chainLock);
- willSendRequest = saml2HandlerResponse.getSendRequest();
-
Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
String destination = saml2HandlerResponse.getDestination();
+ willSendRequest = saml2HandlerResponse.getSendRequest();
+
if (destination != null && samlResponseDocument != null)
{
- try
+ sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
+ }
+ else
+ {
+ //See if the session has been invalidated
+
+ boolean sessionValidity = session.isValid();
+ if (!sessionValidity)
{
- if (saveRestoreRequest)
- {
- this.saveRequest(request, session);
- }
- sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
+ sendToLogoutPage(request, response, session);
return false;
}
- catch (Exception e)
+
+ //We got a response with the principal
+ List<String> roles = saml2HandlerResponse.getRoles();
+ if (principal == null)
+ principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
+
+ String username = principal.getName();
+ String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
+ if (trace)
+ log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray()));
+
+ //Map to JBoss specific principal
+ if ((new ServerDetector()).isJboss() || jbossEnv)
{
- if (trace)
- log.trace("Exception:", e);
- throw new IOException("Server Error");
+ //Push a context
+ ServiceProviderSAMLContext.push(username, roles);
+ principal = context.getRealm().authenticate(username, password);
+ ServiceProviderSAMLContext.clear();
}
+ else
+ {
+ //tomcat env
+ principal = spUtil.createGenericPrincipal(request, username, roles);
+ }
+
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ request.setUserPrincipal(principal);
+ //Get the original saved request
+ if (saveRestoreRequest)
+ {
+ this.restoreRequest(request, session);
+ }
+ register(request, response, principal, Constants.FORM_METHOD, username, password);
+
+ return true;
}
}
-
- //Handle a SAML Response from IDP
- if (isNotNull(samlResponse))
+ catch (ProcessingException pe)
{
- boolean isValid = false;
- try
+ Throwable t = pe.getCause();
+ if (t != null && t instanceof AssertionExpiredException)
{
- isValid = this.validate(request);
+ log.error("Assertion has expired. Asking IDP for reissue");
+ //Just issue a fresh request back to IDP
+ return generalUserRequest(request, response, loginConfig);
}
- catch (Exception e)
- {
- log.error("Exception:", e);
- throw new IOException();
- }
- if (!isValid)
- throw new IOException("Validity check failed");
+ throw new IOException("Server Exception:" + pe.getLocalizedMessage());
+ }
+ catch (Exception e)
+ {
+ log.error("Server Exception:", e);
+ throw new IOException("Server Exception");
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
- //deal with SAML response from IDP
- try
- {
- ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true,
- serviceURL);
- responseProcessor.setValidateSignature(validateSignature);
- responseProcessor.setTrustKeyManager(keyManager);
+ /**
+ * Handle the user invocation for the first time
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ Session session = request.getSessionInternal(true);
+ boolean willSendRequest = false;
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+ Set<SAML2Handler> handlers = chain.handlers();
- SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers,
- chainLock);
+ String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
- Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
- relayState = saml2HandlerResponse.getRelayState();
+ //Neither saml request nor response from IDP
+ //So this is a user request
+ SAML2HandlerResponse saml2HandlerResponse = null;
+ try
+ {
+ ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL);
+ if (issuerID != null)
+ baseProcessor.setIssuer(issuerID);
- String destination = saml2HandlerResponse.getDestination();
+ baseProcessor.setIdentityURL(identityURL);
- willSendRequest = saml2HandlerResponse.getSendRequest();
+ saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
+ }
+ catch (ProcessingException pe)
+ {
+ log.error("Processing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ParsingException pe)
+ {
+ log.error("Parsing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ConfigurationException pe)
+ {
+ log.error("Config Exception:", pe);
+ throw new RuntimeException(pe);
+ }
- if (destination != null && samlResponseDocument != null)
- {
- sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
- }
- else
- {
- //See if the session has been invalidated
+ willSendRequest = saml2HandlerResponse.getSendRequest();
- boolean sessionValidity = session.isValid();
- if (!sessionValidity)
- {
- sendToLogoutPage(request, response, session);
- return false;
- }
+ Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
+ relayState = saml2HandlerResponse.getRelayState();
- //We got a response with the principal
- List<String> roles = saml2HandlerResponse.getRoles();
- if (principal == null)
- principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
+ String destination = saml2HandlerResponse.getDestination();
- String username = principal.getName();
- String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
- if (trace)
- log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray()));
-
- //Map to JBoss specific principal
- if ((new ServerDetector()).isJboss() || jbossEnv)
- {
- //Push a context
- ServiceProviderSAMLContext.push(username, roles);
- principal = context.getRealm().authenticate(username, password);
- ServiceProviderSAMLContext.clear();
- }
- else
- {
- //tomcat env
- principal = spUtil.createGenericPrincipal(request, username, roles);
- }
-
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- request.setUserPrincipal(principal);
- //Get the original saved request
- if (saveRestoreRequest)
- {
- this.restoreRequest(request, session);
- }
- register(request, response, principal, Constants.FORM_METHOD, username, password);
-
- return true;
- }
- }
- catch (Exception e)
- {
- log.error("Server Exception:", e);
- throw new IOException("Server Exception");
- }
- }
-
- //Handle SAML Requests from IDP
- if (isNotNull(samlRequest))
+ if (destination != null && samlResponseDocument != null)
{
try
{
- ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true,
- this.serviceURL);
- requestProcessor.setTrustKeyManager(keyManager);
- requestProcessor.setSupportSignatures(supportSignatures);
- boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
-
- if (result)
- return result;
+ if (saveRestoreRequest)
+ {
+ this.saveRequest(request, session);
+ }
+ sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
+ return false;
}
catch (Exception e)
{
if (trace)
- log.trace("Server Exception:", e);
- throw new IOException("Server Exception");
+ log.trace("Exception:", e);
+ throw new IOException("Server Error");
}
- }//end if
+ }
- log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available");
- //fallback
- return super.authenticate(request, response, loginConfig);
+ return localAuthentication(request, response, loginConfig);
}
@Override
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 21:41:04 UTC (rev 1144)
@@ -141,42 +141,120 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
+ //General User Request
+ if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ {
+ return generalUserRequest(request, response, loginConfig);
+ }
+
+ //See if we got a response from IDP
+ if (isNotNull(samlResponse))
+ {
+ return handleSAMLResponse(request, response, loginConfig);
+ }
+
+ //Handle SAML Requests from IDP
+ if (isNotNull(samlRequest))
+ {
+ return handleSAMLRequest(request, response, loginConfig);
+ }//end if
+
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle the SAML Request message from IDP
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+
+ Set<SAML2Handler> handlers = chain.handlers();
+
+ //we got a logout request
+ try
+ {
+ ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false,
+ this.serviceURL);
+ boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
+
+ if (result)
+ return result;
+ }
+ catch (Exception e)
+ {
+ log.error("Server Exception:", e);
+ throw new IOException("Server Exception");
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle the IDP Response
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ Session session = request.getSessionInternal(true);
+
+ String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
+
+ Principal principal = request.getUserPrincipal();
+
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
Set<SAML2Handler> handlers = chain.handlers();
+ boolean isValid = false;
+ try
+ {
+ isValid = this.validate(request);
+ }
+ catch (Exception e)
+ {
+ log.error("Exception:", e);
+ throw new IOException();
+ }
+ if (!isValid)
+ throw new IOException("Validity check failed");
- //General User Request
- if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ try
{
- //Neither saml request nor response from IDP
- //So this is a user request
+ ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false,
+ serviceURL);
+ initializeSAMLProcessor(responseProcessor);
+
SAML2HandlerResponse saml2HandlerResponse = null;
+
try
{
- ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
-
- initializeSAMLProcessor(baseProcessor);
-
- saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
- saml2HandlerResponse.setDestination(identityURL);
+ saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock);
}
catch (ProcessingException pe)
{
- log.error("Processing Exception:", pe);
- throw new RuntimeException(pe);
+ Throwable te = pe.getCause();
+ if (te instanceof AssertionExpiredException)
+ {
+ //We need to reissue redirect to IDP
+ ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
+ initializeSAMLProcessor(baseProcessor);
+
+ saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
+ saml2HandlerResponse.setDestination(identityURL);
+ }
+ else
+ throw pe;
}
- catch (ParsingException pe)
- {
- log.error("Parsing Exception:", pe);
- throw new RuntimeException(pe);
- }
- catch (ConfigurationException pe)
- {
- log.error("Config Exception:", pe);
- throw new RuntimeException(pe);
- }
-
Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
@@ -184,188 +262,175 @@
if (destination != null && samlResponseDocument != null)
{
- try
- {
- String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
- if (trace)
- log.trace("SAML Document=" + samlMsg);
+ boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
+ String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
- boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
+ String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
- String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
+ String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
- String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
+ RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
+ holder.setDestination(destination).setDestinationQueryString(destinationQuery);
- RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
- holder.setDestination(destination).setDestinationQueryString(destinationQuery);
+ String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
- String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
+ HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
+ }
+ else
+ {
+ //See if the session has been invalidated
+ boolean sessionValidity = session.isValid();
+ if (!sessionValidity)
+ {
+ sendToLogoutPage(request, response, session);
+ return false;
+ }
- if (trace)
- {
- log.trace("URL used for sending:" + destinationURL);
- }
+ //We got a response with the principal
+ List<String> roles = saml2HandlerResponse.getRoles();
+ if (principal == null)
+ principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
- if (saveRestoreRequest)
- {
- this.saveRequest(request, session);
- }
+ String username = principal.getName();
+ String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
- HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
- return false;
+ //Map to JBoss specific principal
+ if ((new ServerDetector()).isJboss() || jbossEnv)
+ {
+ //Push a context
+ ServiceProviderSAMLContext.push(username, roles);
+ principal = context.getRealm().authenticate(username, password);
+ ServiceProviderSAMLContext.clear();
}
- catch (Exception e)
+ else
{
- if (trace)
- log.trace("Exception:", e);
- throw new IOException("Server Error");
+ //tomcat env
+ SPUtil spUtil = new SPUtil();
+ principal = spUtil.createGenericPrincipal(request, principal.getName(), roles);
}
+
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ request.setUserPrincipal(principal);
+
+ if (saveRestoreRequest)
+ {
+ this.restoreRequest(request, session);
+ }
+ register(request, response, principal, Constants.FORM_METHOD, username, password);
+
+ return true;
}
}
-
- //See if we got a response from IDP
- if (isNotNull(samlResponse))
+ catch (ProcessingException pe)
{
- boolean isValid = false;
- try
+ Throwable t = pe.getCause();
+ if (t != null && t instanceof AssertionExpiredException)
{
- isValid = this.validate(request);
+ log.error("Assertion has expired. Asking IDP for reissue");
+ //Just issue a fresh request back to IDP
+ return generalUserRequest(request, response, loginConfig);
}
- catch (Exception e)
- {
- log.error("Exception:", e);
- throw new IOException();
- }
- if (!isValid)
- throw new IOException("Validity check failed");
+ throw new IOException("Server Exception:" + pe.getLocalizedMessage());
+ }
+ catch (Exception e)
+ {
+ if (trace)
+ log.trace("Server Exception:", e);
+ throw new IOException("Server Exception:" + e.getLocalizedMessage());
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
- try
- {
- ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false,
- serviceURL);
- initializeSAMLProcessor(responseProcessor);
+ /**
+ * Handle the user invocation for the first time
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ Session session = request.getSessionInternal(true);
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+ Set<SAML2Handler> handlers = chain.handlers();
- SAML2HandlerResponse saml2HandlerResponse = null;
+ String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
- try
- {
- saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock);
- }
- catch (ProcessingException pe)
- {
- Throwable te = pe.getCause();
- if (te instanceof AssertionExpiredException)
- {
- //We need to reissue redirect to IDP
- ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
- initializeSAMLProcessor(baseProcessor);
+ //Neither saml request nor response from IDP
+ //So this is a user request
+ SAML2HandlerResponse saml2HandlerResponse = null;
+ try
+ {
+ ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
- saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
- saml2HandlerResponse.setDestination(identityURL);
- }
- else
- throw pe;
- }
- Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
- relayState = saml2HandlerResponse.getRelayState();
+ initializeSAMLProcessor(baseProcessor);
- String destination = saml2HandlerResponse.getDestination();
+ saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
+ saml2HandlerResponse.setDestination(identityURL);
+ }
+ catch (ProcessingException pe)
+ {
+ log.error("Processing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ParsingException pe)
+ {
+ log.error("Parsing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ConfigurationException pe)
+ {
+ log.error("Config Exception:", pe);
+ throw new RuntimeException(pe);
+ }
- if (destination != null && samlResponseDocument != null)
- {
- boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
- String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
+ Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
+ relayState = saml2HandlerResponse.getRelayState();
- String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
+ String destination = saml2HandlerResponse.getDestination();
- String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
+ if (destination != null && samlResponseDocument != null)
+ {
+ try
+ {
+ String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
+ if (trace)
+ log.trace("SAML Document=" + samlMsg);
- RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
- holder.setDestination(destination).setDestinationQueryString(destinationQuery);
+ boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
- String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
+ String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
- HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
- }
- else
- {
- //See if the session has been invalidated
- boolean sessionValidity = session.isValid();
- if (!sessionValidity)
- {
- sendToLogoutPage(request, response, session);
- return false;
- }
+ String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
- //We got a response with the principal
- List<String> roles = saml2HandlerResponse.getRoles();
- if (principal == null)
- principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
+ RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
+ holder.setDestination(destination).setDestinationQueryString(destinationQuery);
- String username = principal.getName();
- String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
+ String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
- //Map to JBoss specific principal
- if ((new ServerDetector()).isJboss() || jbossEnv)
- {
- //Push a context
- ServiceProviderSAMLContext.push(username, roles);
- principal = context.getRealm().authenticate(username, password);
- ServiceProviderSAMLContext.clear();
- }
- else
- {
- //tomcat env
- SPUtil spUtil = new SPUtil();
- principal = spUtil.createGenericPrincipal(request, principal.getName(), roles);
- }
+ if (trace)
+ {
+ log.trace("URL used for sending:" + destinationURL);
+ }
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- request.setUserPrincipal(principal);
+ if (saveRestoreRequest)
+ {
+ this.saveRequest(request, session);
+ }
- if (saveRestoreRequest)
- {
- this.restoreRequest(request, session);
- }
- register(request, response, principal, Constants.FORM_METHOD, username, password);
-
- return true;
- }
+ HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
+ return false;
}
catch (Exception e)
{
- e.printStackTrace();
if (trace)
- log.trace("Server Exception:", e);
- throw new IOException("Server Exception:" + e.getLocalizedMessage());
+ log.trace("Exception:", e);
+ throw new IOException("Server Error");
}
}
-
- //Handle SAML Requests from IDP
- if (isNotNull(samlRequest))
- {
- //we got a logout request
- try
- {
- ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false,
- this.serviceURL);
- boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
-
- if (result)
- return result;
- }
- catch (Exception e)
- {
- log.error("Server Exception:", e);
- throw new IOException("Server Exception");
- }
-
- }//end if
-
- log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available");
- //fallback
- return super.authenticate(request, response, loginConfig);
+ return localAuthentication(request, response, loginConfig);
}
protected String createSAMLRequestMessage(String relayState, Response response) throws ServletException,
13 years, 4 months
Picketlink SVN: r1143 - federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 17:38:57 -0400 (Thu, 28 Jul 2011)
New Revision: 1143
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
Log:
PLFED-197: refactor the sp methods
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143)
@@ -37,6 +37,7 @@
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.crypto.dsig.CanonicalizationMethod;
@@ -46,6 +47,7 @@
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.LoginConfig;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.metadata.MetaDataExtractor;
import org.picketlink.identity.federation.core.config.SPType;
@@ -253,54 +255,42 @@
}
}
- //Mock test purpose
- public void testStart() throws LifecycleException
+ /**
+ * Fall back on local authentication at the service provider side
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean localAuthentication(Request request, Response response, LoginConfig loginConfig)
+ throws IOException
{
- this.saveRestoreRequest = false;
- if (context == null)
- throw new RuntimeException("Catalina Context not set up");
- processStart();
- }
-
- private void processStart() throws LifecycleException
- {
- Handlers handlers = null;
-
- //Get the chain from config
- if (StringUtil.isNullOrEmpty(samlHandlerChainClass))
+ if (request.getUserPrincipal() == null)
{
- chain = SAML2HandlerChainFactory.createChain();
- }
- else
- {
+ log.error("Falling back on local Form Authentication if available");//fallback
try
{
- chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
+ return super.authenticate(request, response, loginConfig);
}
- catch (ProcessingException e1)
+ catch (NoSuchMethodError e)
{
- throw new LifecycleException(e1);
+ //Use Reflection
+ try
+ {
+ Method method = super.getClass().getMethod("authenticate", new Class[]
+ {HttpServletRequest.class, HttpServletResponse.class, LoginConfig.class});
+ return (Boolean) method.invoke(this, new Object[]
+ {request.getRequest(), response.getResponse(), loginConfig});
+ }
+ catch (Exception ex)
+ {
+ throw new IOException("Unable to fallback on local auth", ex);
+ }
}
}
-
- ServletContext servletContext = context.getServletContext();
-
- this.processConfiguration();
-
- try
- {
- //Get the handlers
- String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
- handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName));
- chain.addAll(HandlerUtil.getHandlers(handlers));
-
- this.populateChainConfig();
- this.initializeHandlerChain();
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
+ else
+ return true;
}
/**
@@ -481,6 +471,56 @@
}
}
+ //Mock test purpose
+ public void testStart() throws LifecycleException
+ {
+ this.saveRestoreRequest = false;
+ if (context == null)
+ throw new RuntimeException("Catalina Context not set up");
+ processStart();
+ }
+
+ private void processStart() throws LifecycleException
+ {
+ Handlers handlers = null;
+
+ //Get the chain from config
+ if (StringUtil.isNullOrEmpty(samlHandlerChainClass))
+ {
+ chain = SAML2HandlerChainFactory.createChain();
+ }
+ else
+ {
+ try
+ {
+ chain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
+ }
+ catch (ProcessingException e1)
+ {
+ throw new LifecycleException(e1);
+ }
+ }
+
+ ServletContext servletContext = context.getServletContext();
+
+ this.processConfiguration();
+
+ try
+ {
+ //Get the handlers
+ String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
+ handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName));
+ chain.addAll(HandlerUtil.getHandlers(handlers));
+
+ this.populateChainConfig();
+ this.initializeHandlerChain();
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+
private Class<?> getAuthenticatorBaseClass()
{
Class<?> myClass = getClass();
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143)
@@ -46,6 +46,7 @@
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
@@ -118,8 +119,6 @@
{
Session session = request.getSessionInternal(true);
- SPUtil spUtil = new SPUtil();
-
//Eagerly look for Local LogOut
String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr);
@@ -150,189 +149,256 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
+ //General User Request
+ if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ {
+ return generalUserRequest(request, response, loginConfig);
+ }
+
+ //Handle a SAML Response from IDP
+ if (isNotNull(samlResponse))
+ {
+ return handleSAMLResponse(request, response, loginConfig);
+ }
+
+ //Handle SAML Requests from IDP
+ if (isNotNull(samlRequest))
+ {
+ return handleSAMLRequest(request, response, loginConfig);
+ }//end if
+
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle the IDP Request
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+ Set<SAML2Handler> handlers = chain.handlers();
+
+ try
+ {
+ ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true,
+ this.serviceURL);
+ requestProcessor.setTrustKeyManager(keyManager);
+ requestProcessor.setSupportSignatures(supportSignatures);
+ boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
+
+ if (result)
+ return result;
+ }
+ catch (Exception e)
+ {
+ if (trace)
+ log.trace("Server Exception:", e);
+ throw new IOException("Server Exception");
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle IDP Response
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ SPUtil spUtil = new SPUtil();
+ boolean isValid = false;
+ Session session = request.getSessionInternal(true);
+ String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
+
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
-
boolean willSendRequest = false;
HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
Set<SAML2Handler> handlers = chain.handlers();
- //General User Request
- if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ Principal principal = request.getUserPrincipal();
+ try
{
- //Neither saml request nor response from IDP
- //So this is a user request
- SAML2HandlerResponse saml2HandlerResponse = null;
- try
- {
- ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL);
- if (issuerID != null)
- baseProcessor.setIssuer(issuerID);
+ isValid = this.validate(request);
+ }
+ catch (Exception e)
+ {
+ log.error("Exception:", e);
+ throw new IOException();
+ }
+ if (!isValid)
+ throw new IOException("Validity check failed");
- baseProcessor.setIdentityURL(identityURL);
+ //deal with SAML response from IDP
+ try
+ {
+ ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true,
+ serviceURL);
+ responseProcessor.setValidateSignature(validateSignature);
+ responseProcessor.setTrustKeyManager(keyManager);
- saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
- }
- catch (ProcessingException pe)
- {
- log.error("Processing Exception:", pe);
- throw new RuntimeException(pe);
- }
- catch (ParsingException pe)
- {
- log.error("Parsing Exception:", pe);
- throw new RuntimeException(pe);
- }
- catch (ConfigurationException pe)
- {
- log.error("Config Exception:", pe);
- throw new RuntimeException(pe);
- }
+ SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers,
+ chainLock);
- willSendRequest = saml2HandlerResponse.getSendRequest();
-
Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
String destination = saml2HandlerResponse.getDestination();
+ willSendRequest = saml2HandlerResponse.getSendRequest();
+
if (destination != null && samlResponseDocument != null)
{
- try
+ sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
+ }
+ else
+ {
+ //See if the session has been invalidated
+
+ boolean sessionValidity = session.isValid();
+ if (!sessionValidity)
{
- if (saveRestoreRequest)
- {
- this.saveRequest(request, session);
- }
- sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
+ sendToLogoutPage(request, response, session);
return false;
}
- catch (Exception e)
+
+ //We got a response with the principal
+ List<String> roles = saml2HandlerResponse.getRoles();
+ if (principal == null)
+ principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
+
+ String username = principal.getName();
+ String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
+ if (trace)
+ log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray()));
+
+ //Map to JBoss specific principal
+ if ((new ServerDetector()).isJboss() || jbossEnv)
{
- if (trace)
- log.trace("Exception:", e);
- throw new IOException("Server Error");
+ //Push a context
+ ServiceProviderSAMLContext.push(username, roles);
+ principal = context.getRealm().authenticate(username, password);
+ ServiceProviderSAMLContext.clear();
}
+ else
+ {
+ //tomcat env
+ principal = spUtil.createGenericPrincipal(request, username, roles);
+ }
+
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ request.setUserPrincipal(principal);
+ //Get the original saved request
+ if (saveRestoreRequest)
+ {
+ this.restoreRequest(request, session);
+ }
+ register(request, response, principal, Constants.FORM_METHOD, username, password);
+
+ return true;
}
}
-
- //Handle a SAML Response from IDP
- if (isNotNull(samlResponse))
+ catch (ProcessingException pe)
{
- boolean isValid = false;
- try
+ Throwable t = pe.getCause();
+ if (t != null && t instanceof AssertionExpiredException)
{
- isValid = this.validate(request);
+ log.error("Assertion has expired. Asking IDP for reissue");
+ //Just issue a fresh request back to IDP
+ return generalUserRequest(request, response, loginConfig);
}
- catch (Exception e)
- {
- log.error("Exception:", e);
- throw new IOException();
- }
- if (!isValid)
- throw new IOException("Validity check failed");
+ throw new IOException("Server Exception:" + pe.getLocalizedMessage());
+ }
+ catch (Exception e)
+ {
+ log.error("Server Exception:", e);
+ throw new IOException("Server Exception");
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
- //deal with SAML response from IDP
- try
- {
- ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(true,
- serviceURL);
- responseProcessor.setValidateSignature(validateSignature);
- responseProcessor.setTrustKeyManager(keyManager);
+ /**
+ * Handle the user invocation for the first time
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ Session session = request.getSessionInternal(true);
+ boolean willSendRequest = false;
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+ Set<SAML2Handler> handlers = chain.handlers();
- SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers,
- chainLock);
+ String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
- Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
- relayState = saml2HandlerResponse.getRelayState();
+ //Neither saml request nor response from IDP
+ //So this is a user request
+ SAML2HandlerResponse saml2HandlerResponse = null;
+ try
+ {
+ ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(true, serviceURL);
+ if (issuerID != null)
+ baseProcessor.setIssuer(issuerID);
- String destination = saml2HandlerResponse.getDestination();
+ baseProcessor.setIdentityURL(identityURL);
- willSendRequest = saml2HandlerResponse.getSendRequest();
+ saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
+ }
+ catch (ProcessingException pe)
+ {
+ log.error("Processing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ParsingException pe)
+ {
+ log.error("Parsing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ConfigurationException pe)
+ {
+ log.error("Config Exception:", pe);
+ throw new RuntimeException(pe);
+ }
- if (destination != null && samlResponseDocument != null)
- {
- sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
- }
- else
- {
- //See if the session has been invalidated
+ willSendRequest = saml2HandlerResponse.getSendRequest();
- boolean sessionValidity = session.isValid();
- if (!sessionValidity)
- {
- sendToLogoutPage(request, response, session);
- return false;
- }
+ Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
+ relayState = saml2HandlerResponse.getRelayState();
- //We got a response with the principal
- List<String> roles = saml2HandlerResponse.getRoles();
- if (principal == null)
- principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
+ String destination = saml2HandlerResponse.getDestination();
- String username = principal.getName();
- String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
- if (trace)
- log.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray()));
-
- //Map to JBoss specific principal
- if ((new ServerDetector()).isJboss() || jbossEnv)
- {
- //Push a context
- ServiceProviderSAMLContext.push(username, roles);
- principal = context.getRealm().authenticate(username, password);
- ServiceProviderSAMLContext.clear();
- }
- else
- {
- //tomcat env
- principal = spUtil.createGenericPrincipal(request, username, roles);
- }
-
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- request.setUserPrincipal(principal);
- //Get the original saved request
- if (saveRestoreRequest)
- {
- this.restoreRequest(request, session);
- }
- register(request, response, principal, Constants.FORM_METHOD, username, password);
-
- return true;
- }
- }
- catch (Exception e)
- {
- log.error("Server Exception:", e);
- throw new IOException("Server Exception");
- }
- }
-
- //Handle SAML Requests from IDP
- if (isNotNull(samlRequest))
+ if (destination != null && samlResponseDocument != null)
{
try
{
- ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(true,
- this.serviceURL);
- requestProcessor.setTrustKeyManager(keyManager);
- requestProcessor.setSupportSignatures(supportSignatures);
- boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
-
- if (result)
- return result;
+ if (saveRestoreRequest)
+ {
+ this.saveRequest(request, session);
+ }
+ sendRequestToIDP(destination, samlResponseDocument, relayState, response, willSendRequest);
+ return false;
}
catch (Exception e)
{
if (trace)
- log.trace("Server Exception:", e);
- throw new IOException("Server Exception");
+ log.trace("Exception:", e);
+ throw new IOException("Server Error");
}
- }//end if
+ }
- log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available");
- //fallback
- return super.authenticate(request, response, loginConfig);
+ return localAuthentication(request, response, loginConfig);
}
@Override
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 21:38:57 UTC (rev 1143)
@@ -141,42 +141,120 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
+ //General User Request
+ if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ {
+ return generalUserRequest(request, response, loginConfig);
+ }
+
+ //See if we got a response from IDP
+ if (isNotNull(samlResponse))
+ {
+ return handleSAMLResponse(request, response, loginConfig);
+ }
+
+ //Handle SAML Requests from IDP
+ if (isNotNull(samlRequest))
+ {
+ return handleSAMLRequest(request, response, loginConfig);
+ }//end if
+
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle the SAML Request message from IDP
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+
+ Set<SAML2Handler> handlers = chain.handlers();
+
+ //we got a logout request
+ try
+ {
+ ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false,
+ this.serviceURL);
+ boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
+
+ if (result)
+ return result;
+ }
+ catch (Exception e)
+ {
+ log.error("Server Exception:", e);
+ throw new IOException("Server Exception");
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
+
+ /**
+ * Handle the IDP Response
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean handleSAMLResponse(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ Session session = request.getSessionInternal(true);
+
+ String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
+
+ Principal principal = request.getUserPrincipal();
+
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
Set<SAML2Handler> handlers = chain.handlers();
+ boolean isValid = false;
+ try
+ {
+ isValid = this.validate(request);
+ }
+ catch (Exception e)
+ {
+ log.error("Exception:", e);
+ throw new IOException();
+ }
+ if (!isValid)
+ throw new IOException("Validity check failed");
- //General User Request
- if (!isNotNull(samlRequest) && !isNotNull(samlResponse))
+ try
{
- //Neither saml request nor response from IDP
- //So this is a user request
+ ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false,
+ serviceURL);
+ initializeSAMLProcessor(responseProcessor);
+
SAML2HandlerResponse saml2HandlerResponse = null;
+
try
{
- ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
-
- initializeSAMLProcessor(baseProcessor);
-
- saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
- saml2HandlerResponse.setDestination(identityURL);
+ saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock);
}
catch (ProcessingException pe)
{
- log.error("Processing Exception:", pe);
- throw new RuntimeException(pe);
+ Throwable te = pe.getCause();
+ if (te instanceof AssertionExpiredException)
+ {
+ //We need to reissue redirect to IDP
+ ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
+ initializeSAMLProcessor(baseProcessor);
+
+ saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
+ saml2HandlerResponse.setDestination(identityURL);
+ }
+ else
+ throw pe;
}
- catch (ParsingException pe)
- {
- log.error("Parsing Exception:", pe);
- throw new RuntimeException(pe);
- }
- catch (ConfigurationException pe)
- {
- log.error("Config Exception:", pe);
- throw new RuntimeException(pe);
- }
-
Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
@@ -184,188 +262,175 @@
if (destination != null && samlResponseDocument != null)
{
- try
- {
- String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
- if (trace)
- log.trace("SAML Document=" + samlMsg);
+ boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
+ String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
- boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
+ String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
- String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
+ String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
- String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
+ RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
+ holder.setDestination(destination).setDestinationQueryString(destinationQuery);
- RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
- holder.setDestination(destination).setDestinationQueryString(destinationQuery);
+ String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
- String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
+ HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
+ }
+ else
+ {
+ //See if the session has been invalidated
+ boolean sessionValidity = session.isValid();
+ if (!sessionValidity)
+ {
+ sendToLogoutPage(request, response, session);
+ return false;
+ }
- if (trace)
- {
- log.trace("URL used for sending:" + destinationURL);
- }
+ //We got a response with the principal
+ List<String> roles = saml2HandlerResponse.getRoles();
+ if (principal == null)
+ principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
- if (saveRestoreRequest)
- {
- this.saveRequest(request, session);
- }
+ String username = principal.getName();
+ String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
- HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
- return false;
+ //Map to JBoss specific principal
+ if ((new ServerDetector()).isJboss() || jbossEnv)
+ {
+ //Push a context
+ ServiceProviderSAMLContext.push(username, roles);
+ principal = context.getRealm().authenticate(username, password);
+ ServiceProviderSAMLContext.clear();
}
- catch (Exception e)
+ else
{
- if (trace)
- log.trace("Exception:", e);
- throw new IOException("Server Error");
+ //tomcat env
+ SPUtil spUtil = new SPUtil();
+ principal = spUtil.createGenericPrincipal(request, principal.getName(), roles);
}
+
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ request.setUserPrincipal(principal);
+
+ if (saveRestoreRequest)
+ {
+ this.restoreRequest(request, session);
+ }
+ register(request, response, principal, Constants.FORM_METHOD, username, password);
+
+ return true;
}
}
-
- //See if we got a response from IDP
- if (isNotNull(samlResponse))
+ catch (ProcessingException pe)
{
- boolean isValid = false;
- try
+ Throwable t = pe.getCause();
+ if (t != null && t instanceof AssertionExpiredException)
{
- isValid = this.validate(request);
+ log.error("Assertion has expired. Asking IDP for reissue");
+ //Just issue a fresh request back to IDP
+ return generalUserRequest(request, response, loginConfig);
}
- catch (Exception e)
- {
- log.error("Exception:", e);
- throw new IOException();
- }
- if (!isValid)
- throw new IOException("Validity check failed");
+ throw new IOException("Server Exception:" + pe.getLocalizedMessage());
+ }
+ catch (Exception e)
+ {
+ if (trace)
+ log.trace("Server Exception:", e);
+ throw new IOException("Server Exception:" + e.getLocalizedMessage());
+ }
+ return localAuthentication(request, response, loginConfig);
+ }
- try
- {
- ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor(false,
- serviceURL);
- initializeSAMLProcessor(responseProcessor);
+ /**
+ * Handle the user invocation for the first time
+ * @param request
+ * @param response
+ * @param loginConfig
+ * @return
+ * @throws IOException
+ */
+ protected boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException
+ {
+ Session session = request.getSessionInternal(true);
+ HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
+ Set<SAML2Handler> handlers = chain.handlers();
- SAML2HandlerResponse saml2HandlerResponse = null;
+ String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
- try
- {
- saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock);
- }
- catch (ProcessingException pe)
- {
- Throwable te = pe.getCause();
- if (te instanceof AssertionExpiredException)
- {
- //We need to reissue redirect to IDP
- ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
- initializeSAMLProcessor(baseProcessor);
+ //Neither saml request nor response from IDP
+ //So this is a user request
+ SAML2HandlerResponse saml2HandlerResponse = null;
+ try
+ {
+ ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(false, serviceURL);
- saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
- saml2HandlerResponse.setDestination(identityURL);
- }
- else
- throw pe;
- }
- Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
- relayState = saml2HandlerResponse.getRelayState();
+ initializeSAMLProcessor(baseProcessor);
- String destination = saml2HandlerResponse.getDestination();
+ saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
+ saml2HandlerResponse.setDestination(identityURL);
+ }
+ catch (ProcessingException pe)
+ {
+ log.error("Processing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ParsingException pe)
+ {
+ log.error("Parsing Exception:", pe);
+ throw new RuntimeException(pe);
+ }
+ catch (ConfigurationException pe)
+ {
+ log.error("Config Exception:", pe);
+ throw new RuntimeException(pe);
+ }
- if (destination != null && samlResponseDocument != null)
- {
- boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
- String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
+ Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
+ relayState = saml2HandlerResponse.getRelayState();
- String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
+ String destination = saml2HandlerResponse.getDestination();
- String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
+ if (destination != null && samlResponseDocument != null)
+ {
+ try
+ {
+ String samlMsg = DocumentUtil.getDocumentAsString(samlResponseDocument);
+ if (trace)
+ log.trace("SAML Document=" + samlMsg);
- RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
- holder.setDestination(destination).setDestinationQueryString(destinationQuery);
+ boolean areWeSendingRequest = saml2HandlerResponse.getSendRequest();
- String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
+ String base64Request = RedirectBindingUtil.deflateBase64URLEncode(samlMsg.getBytes("UTF-8"));
- HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
- }
- else
- {
- //See if the session has been invalidated
- boolean sessionValidity = session.isValid();
- if (!sessionValidity)
- {
- sendToLogoutPage(request, response, session);
- return false;
- }
+ String destinationQuery = getDestinationQueryString(base64Request, relayState, areWeSendingRequest);
- //We got a response with the principal
- List<String> roles = saml2HandlerResponse.getRoles();
- if (principal == null)
- principal = (Principal) session.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID);
+ RedirectBindingUtilDestHolder holder = new RedirectBindingUtilDestHolder();
+ holder.setDestination(destination).setDestinationQueryString(destinationQuery);
- String username = principal.getName();
- String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
+ String destinationURL = RedirectBindingUtil.getDestinationURL(holder);
- //Map to JBoss specific principal
- if ((new ServerDetector()).isJboss() || jbossEnv)
- {
- //Push a context
- ServiceProviderSAMLContext.push(username, roles);
- principal = context.getRealm().authenticate(username, password);
- ServiceProviderSAMLContext.clear();
- }
- else
- {
- //tomcat env
- SPUtil spUtil = new SPUtil();
- principal = spUtil.createGenericPrincipal(request, principal.getName(), roles);
- }
+ if (trace)
+ {
+ log.trace("URL used for sending:" + destinationURL);
+ }
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- request.setUserPrincipal(principal);
+ if (saveRestoreRequest)
+ {
+ this.saveRequest(request, session);
+ }
- if (saveRestoreRequest)
- {
- this.restoreRequest(request, session);
- }
- register(request, response, principal, Constants.FORM_METHOD, username, password);
-
- return true;
- }
+ HTTPRedirectUtil.sendRedirectForRequestor(destinationURL, response);
+ return false;
}
catch (Exception e)
{
- e.printStackTrace();
if (trace)
- log.trace("Server Exception:", e);
- throw new IOException("Server Exception:" + e.getLocalizedMessage());
+ log.trace("Exception:", e);
+ throw new IOException("Server Error");
}
}
-
- //Handle SAML Requests from IDP
- if (isNotNull(samlRequest))
- {
- //we got a logout request
- try
- {
- ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor(false,
- this.serviceURL);
- boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
-
- if (result)
- return result;
- }
- catch (Exception e)
- {
- log.error("Server Exception:", e);
- throw new IOException("Server Exception");
- }
-
- }//end if
-
- log.error("Did not find any SAML Request/Response. Falling back on local Form Authentication if available");
- //fallback
- return super.authenticate(request, response, loginConfig);
+ return localAuthentication(request, response, loginConfig);
}
protected String createSAMLRequestMessage(String relayState, Response response) throws ServletException,
13 years, 4 months
Picketlink SVN: r1142 - in product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation: web/constants and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 14:57:30 -0400 (Thu, 28 Jul 2011)
New Revision: 1142
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
Log:
merge in r1141
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp:1138-1141
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142)
@@ -34,11 +34,14 @@
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
+import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Session;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
@@ -114,6 +117,8 @@
protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+ protected final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
+
/**
* Servlet3 related changes forced Tomcat to change the authenticate method
* signature in the FormAuthenticator. For now, we use reflection for forward
@@ -454,6 +459,28 @@
chainConfigOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "false"); //No validator as tomcat realm does validn
}
+ protected void sendToLogoutPage(Request request, Response response, Session session) throws IOException,
+ ServletException
+ {
+ //we are invalidated.
+ RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage);
+ if (dispatch == null)
+ log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
+ else
+ {
+ session.expire();
+ try
+ {
+ dispatch.forward(request, response);
+ }
+ catch (Exception e)
+ {
+ //JBAS5.1 and 6 quirkiness
+ dispatch.forward(request.getRequest(), response);
+ }
+ }
+ }
+
private Class<?> getAuthenticatorBaseClass()
{
Class<?> myClass = getClass();
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142)
@@ -29,7 +29,7 @@
import java.util.List;
import java.util.Set;
-import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Session;
@@ -77,8 +77,6 @@
private boolean jbossEnv = false;
- private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
-
protected boolean supportSignatures = false;
protected TrustKeyManager keyManager;
@@ -118,8 +116,27 @@
@Override
public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException
{
+ Session session = request.getSessionInternal(true);
+
SPUtil spUtil = new SPUtil();
+ //Eagerly look for Local LogOut
+ String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
+ boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr);
+ if (localLogout)
+ {
+ try
+ {
+ sendToLogoutPage(request, response, session);
+ }
+ catch (ServletException e)
+ {
+ log.error("Exception in logout::", e);
+ throw new IOException(e);
+ }
+ return false;
+ }
+
//Eagerly look for Global LogOut
String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT);
boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr);
@@ -133,7 +150,6 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
- Session session = request.getSessionInternal(true);
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
boolean willSendRequest = false;
@@ -244,23 +260,7 @@
boolean sessionValidity = session.isValid();
if (!sessionValidity)
{
- //we are invalidated.
- RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage);
- if (dispatch == null)
- log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
- else
- {
- session.expire();
- try
- {
- dispatch.forward(request, response);
- }
- catch (Exception e)
- {
- //JBAS5.1 and 6 quirkiness
- dispatch.forward(request.getRequest(), response);
- }
- }
+ sendToLogoutPage(request, response, session);
return false;
}
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:57:30 UTC (rev 1142)
@@ -31,7 +31,6 @@
import java.util.Set;
import java.util.StringTokenizer;
-import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
@@ -81,8 +80,6 @@
protected boolean jbossEnv = false;
- private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
-
public SPRedirectFormAuthenticator()
{
super();
@@ -112,6 +109,25 @@
@Override
public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException
{
+ Session session = request.getSessionInternal(true);
+
+ //Eagerly look for Local LogOut
+ String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
+ boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr);
+ if (localLogout)
+ {
+ try
+ {
+ sendToLogoutPage(request, response, session);
+ }
+ catch (ServletException e)
+ {
+ log.error("Exception in logout::", e);
+ throw new IOException(e);
+ }
+ return false;
+ }
+
//Eagerly look for Global LogOut
String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT);
boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr);
@@ -125,7 +141,6 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
- Session session = request.getSessionInternal(true);
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
@@ -278,23 +293,7 @@
boolean sessionValidity = session.isValid();
if (!sessionValidity)
{
- //we are invalidated.
- RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage);
- if (dispatch == null)
- log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
- else
- {
- session.expire();
- try
- {
- dispatch.forward(request, response);
- }
- catch (Exception e)
- {
- //JBAS5.1 and 6 quirkiness
- dispatch.forward(request.getRequest(), response);
- }
- }
+ sendToLogoutPage(request, response, session);
return false;
}
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 18:23:56 UTC (rev 1141)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 18:57:30 UTC (rev 1142)
@@ -48,6 +48,8 @@
String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml";
+ String LOCAL_LOGOUT = "LLO";
+
String GLOBAL_LOGOUT = "GLO";
String HANDLER_CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-handlers.xml";
@@ -60,6 +62,8 @@
String KEYPAIR = "KEYPAIR";
+ String LOGIN_TYPE = "LOGIN_TYPE";
+
String LOGOUT_PAGE = "LOGOUT_PAGE";
String LOGOUT_PAGE_NAME = "/logout.jsp";
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1138-1141
13 years, 4 months
Picketlink SVN: r1141 - in federation/trunk: picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants and 1 other directory.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 14:23:56 -0400 (Thu, 28 Jul 2011)
New Revision: 1141
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
Log:
PLFED-196: sp local log out
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 16:17:34 UTC (rev 1140)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141)
@@ -34,11 +34,14 @@
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
+import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Session;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
@@ -114,6 +117,8 @@
protected String canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+ protected final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
+
/**
* Servlet3 related changes forced Tomcat to change the authenticate method
* signature in the FormAuthenticator. For now, we use reflection for forward
@@ -454,6 +459,28 @@
chainConfigOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "false"); //No validator as tomcat realm does validn
}
+ protected void sendToLogoutPage(Request request, Response response, Session session) throws IOException,
+ ServletException
+ {
+ //we are invalidated.
+ RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage);
+ if (dispatch == null)
+ log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
+ else
+ {
+ session.expire();
+ try
+ {
+ dispatch.forward(request, response);
+ }
+ catch (Exception e)
+ {
+ //JBAS5.1 and 6 quirkiness
+ dispatch.forward(request.getRequest(), response);
+ }
+ }
+ }
+
private Class<?> getAuthenticatorBaseClass()
{
Class<?> myClass = getClass();
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 16:17:34 UTC (rev 1140)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141)
@@ -29,7 +29,7 @@
import java.util.List;
import java.util.Set;
-import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Session;
@@ -77,8 +77,6 @@
private boolean jbossEnv = false;
- private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
-
protected boolean supportSignatures = false;
protected TrustKeyManager keyManager;
@@ -118,8 +116,27 @@
@Override
public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException
{
+ Session session = request.getSessionInternal(true);
+
SPUtil spUtil = new SPUtil();
+ //Eagerly look for Local LogOut
+ String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
+ boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr);
+ if (localLogout)
+ {
+ try
+ {
+ sendToLogoutPage(request, response, session);
+ }
+ catch (ServletException e)
+ {
+ log.error("Exception in logout::", e);
+ throw new IOException(e);
+ }
+ return false;
+ }
+
//Eagerly look for Global LogOut
String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT);
boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr);
@@ -133,7 +150,6 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
- Session session = request.getSessionInternal(true);
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
boolean willSendRequest = false;
@@ -244,23 +260,7 @@
boolean sessionValidity = session.isValid();
if (!sessionValidity)
{
- //we are invalidated.
- RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage);
- if (dispatch == null)
- log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
- else
- {
- session.expire();
- try
- {
- dispatch.forward(request, response);
- }
- catch (Exception e)
- {
- //JBAS5.1 and 6 quirkiness
- dispatch.forward(request.getRequest(), response);
- }
- }
+ sendToLogoutPage(request, response, session);
return false;
}
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 16:17:34 UTC (rev 1140)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2011-07-28 18:23:56 UTC (rev 1141)
@@ -31,7 +31,6 @@
import java.util.Set;
import java.util.StringTokenizer;
-import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
@@ -81,8 +80,6 @@
protected boolean jbossEnv = false;
- private final String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
-
public SPRedirectFormAuthenticator()
{
super();
@@ -112,6 +109,25 @@
@Override
public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException
{
+ Session session = request.getSessionInternal(true);
+
+ //Eagerly look for Local LogOut
+ String lloStr = request.getParameter(GeneralConstants.LOCAL_LOGOUT);
+ boolean localLogout = isNotNull(lloStr) && "true".equalsIgnoreCase(lloStr);
+ if (localLogout)
+ {
+ try
+ {
+ sendToLogoutPage(request, response, session);
+ }
+ catch (ServletException e)
+ {
+ log.error("Exception in logout::", e);
+ throw new IOException(e);
+ }
+ return false;
+ }
+
//Eagerly look for Global LogOut
String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT);
boolean logOutRequest = isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr);
@@ -125,7 +141,6 @@
if (principal != null && !(logOutRequest || isNotNull(samlRequest) || isNotNull(samlResponse)))
return true;
- Session session = request.getSessionInternal(true);
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
@@ -278,23 +293,7 @@
boolean sessionValidity = session.isValid();
if (!sessionValidity)
{
- //we are invalidated.
- RequestDispatcher dispatch = context.getServletContext().getRequestDispatcher(this.logOutPage);
- if (dispatch == null)
- log.error("Cannot dispatch to the logout page: no request dispatcher:" + this.logOutPage);
- else
- {
- session.expire();
- try
- {
- dispatch.forward(request, response);
- }
- catch (Exception e)
- {
- //JBAS5.1 and 6 quirkiness
- dispatch.forward(request.getRequest(), response);
- }
- }
+ sendToLogoutPage(request, response, session);
return false;
}
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 16:17:34 UTC (rev 1140)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 18:23:56 UTC (rev 1141)
@@ -48,6 +48,8 @@
String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml";
+ String LOCAL_LOGOUT = "LLO";
+
String GLOBAL_LOGOUT = "GLO";
String HANDLER_CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-handlers.xml";
13 years, 4 months
Picketlink SVN: r1140 - in federation/trunk: picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock and 2 other directories.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 12:17:34 -0400 (Thu, 28 Jul 2011)
New Revision: 1140
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-202: set the auth context type
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-07-28 15:54:08 UTC (rev 1139)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-07-28 16:17:34 UTC (rev 1140)
@@ -53,6 +53,7 @@
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.valves.ValveBase;
@@ -478,6 +479,10 @@
cleanUpSessionNote(request);
+ //Determine the transport mechanism
+ boolean isSecure = request.isSecure();
+ String loginType = determineLoginType(isSecure);
+
try
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
@@ -497,6 +502,10 @@
SAML2HandlerRequest saml2HandlerRequest = new DefaultSAML2HandlerRequest(protocolContext,
idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP);
saml2HandlerRequest.setRelayState(relayState);
+ if (StringUtil.isNotNull(loginType))
+ {
+ saml2HandlerRequest.addOption(GeneralConstants.LOGIN_TYPE, loginType);
+ }
String assertionID = (String) session.getSession().getAttribute(GeneralConstants.ASSERTION_ID);
@@ -972,6 +981,7 @@
String configFile = GeneralConstants.CONFIG_FILE_LOCATION;
context = (Context) getContainer();
+
InputStream is = context.getServletContext().getResourceAsStream(configFile);
if (is == null)
throw new RuntimeException(configFile + " missing");
@@ -1157,6 +1167,25 @@
response.recycle();
}
+ protected String determineLoginType(boolean isSecure)
+ {
+ String result = JBossSAMLURIConstants.AC_PASSWORD.get();
+ LoginConfig loginConfig = context.getLoginConfig();
+ if (loginConfig != null)
+ {
+ String auth = loginConfig.getAuthMethod();
+ if (StringUtil.isNotNull(auth))
+ {
+ if ("CLIENT-CERT".equals(auth))
+ result = JBossSAMLURIConstants.AC_TLS_CLIENT.get();
+ else if (isSecure)
+ result = JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get();
+ }
+ }
+
+ return result;
+ }
+
/**
* Given a set of roles, create an attribute statement
* @param roles
Modified: federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java
===================================================================
--- federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java 2011-07-28 15:54:08 UTC (rev 1139)
+++ federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java 2011-07-28 16:17:34 UTC (rev 1140)
@@ -30,8 +30,8 @@
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
+import java.util.Map.Entry;
import java.util.Set;
-import java.util.Map.Entry;
import javax.naming.directory.DirContext;
import javax.servlet.RequestDispatcher;
@@ -42,10 +42,9 @@
import javax.servlet.ServletResponse;
import org.apache.catalina.Cluster;
-import org.apache.catalina.Context;
-
import org.apache.catalina.Container;
import org.apache.catalina.ContainerListener;
+import org.apache.catalina.Context;
import org.apache.catalina.Loader;
import org.apache.catalina.Manager;
import org.apache.catalina.Pipeline;
@@ -62,20 +61,21 @@
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.util.CharsetMapper;
import org.apache.juli.logging.Log;
-import org.apache.tomcat.util.http.mapper.Mapper;
+import org.apache.tomcat.util.http.mapper.Mapper;
/**
* Mock Catalina Context
* @author Anil.Saldhana(a)redhat.com
* @since Oct 20, 2009
*/
-@SuppressWarnings({ "unchecked", "rawtypes"})
-public class MockCatalinaContext
-implements Context, Container, ServletContext
-{
+@SuppressWarnings(
+{"unchecked", "rawtypes"})
+public class MockCatalinaContext implements Context, Container, ServletContext
+{
private Realm realm;
+
public void addChild(Container arg0)
- {
+ {
}
public void addContainerListener(ContainerListener arg0)
@@ -97,136 +97,136 @@
public Container[] findChildren()
{
-
+
throw new RuntimeException("NYI");
}
public ContainerListener[] findContainerListeners()
{
-
+
throw new RuntimeException("NYI");
}
public int getBackgroundProcessorDelay()
{
-
+
return 0;
}
public Cluster getCluster()
{
-
+
throw new RuntimeException("NYI");
}
public String getInfo()
{
-
+
throw new RuntimeException("NYI");
}
public Loader getLoader()
{
-
+
throw new RuntimeException("NYI");
}
public Log getLogger()
{
-
+
throw new RuntimeException("NYI");
}
public Manager getManager()
{
-
+
throw new RuntimeException("NYI");
}
public Object getMappingObject()
{
-
+
throw new RuntimeException("NYI");
}
public String getName()
- {
+ {
throw new RuntimeException("NYI");
}
public String getObjectName()
{
-
+
throw new RuntimeException("NYI");
}
public Container getParent()
- {
+ {
return this;
}
public ClassLoader getParentClassLoader()
- {
+ {
throw new RuntimeException("NYI");
}
public Pipeline getPipeline()
- {
+ {
throw new RuntimeException("NYI");
}
public DirContext getResources()
- {
+ {
throw new RuntimeException("NYI");
}
public void invoke(Request arg0, Response arg1) throws IOException, ServletException
- {
+ {
}
public void removeChild(Container arg0)
- {
+ {
}
public void removeContainerListener(ContainerListener arg0)
- {
+ {
}
public void removePropertyChangeListener(PropertyChangeListener arg0)
- {
+ {
}
public void setBackgroundProcessorDelay(int arg0)
- {
+ {
}
public void setCluster(Cluster arg0)
- {
+ {
}
public void setLoader(Loader arg0)
- {
+ {
}
public void setManager(Manager arg0)
- {
+ {
}
public void setName(String arg0)
- {
+ {
}
public void setParent(Container arg0)
- {
+ {
}
public void setParentClassLoader(ClassLoader arg0)
- {
+ {
}
public void setRealm(Realm arg0)
- {
- this.realm = arg0;
+ {
+ this.realm = arg0;
}
public void setResources(DirContext arg0)
@@ -526,7 +526,9 @@
public LoginConfig getLoginConfig()
{
- throw new RuntimeException("NYI");
+ LoginConfig loginConfig = new LoginConfig();
+ loginConfig.setAuthMethod("BASIC");
+ return loginConfig;
}
public Mapper getMapper()
@@ -757,54 +759,54 @@
}
public void setSessionTimeout(int arg0)
- {
+ {
}
public void setSwallowOutput(boolean arg0)
- {
+ {
}
public void setTldNamespaceAware(boolean arg0)
- {
+ {
}
public void setTldValidation(boolean arg0)
- {
+ {
}
public void setWrapperClass(String arg0)
- {
+ {
}
public void setXmlNamespaceAware(boolean arg0)
- {
+ {
}
public void setXmlValidation(boolean arg0)
{
}
-
+
public Realm getRealm()
- {
+ {
return realm;
}
-
- //Copied from MockServletContext
- private Map params = new HashMap();
- private Map attribs = new HashMap();
-
+ //Copied from MockServletContext
+ private final Map params = new HashMap();
+
+ private final Map attribs = new HashMap();
+
public Object getAttribute(String arg0)
- {
+ {
return attribs.get(arg0);
}
public Enumeration getAttributeNames()
- {
- return new Enumeration()
+ {
+ return new Enumeration()
{
- private Iterator iter = attribs.entrySet().iterator();
-
+ private final Iterator iter = attribs.entrySet().iterator();
+
public boolean hasMoreElements()
{
return iter.hasNext();
@@ -812,33 +814,33 @@
public Object nextElement()
{
- Entry<String,Object> entry = (Entry<String, Object>) iter.next();
+ Entry<String, Object> entry = (Entry<String, Object>) iter.next();
return entry.getValue();
}
};
}
public ServletContext getContext(String arg0)
- {
+ {
throw new RuntimeException("NYI");
}
public String getContextPath()
- {
+ {
throw new RuntimeException("NYI");
}
public String getInitParameter(String arg0)
- {
+ {
return (String) params.get(arg0);
}
public Enumeration getInitParameterNames()
- {
- return new Enumeration()
+ {
+ return new Enumeration()
{
- private Iterator iter = params.entrySet().iterator();
-
+ private final Iterator iter = params.entrySet().iterator();
+
public boolean hasMoreElements()
{
return iter.hasNext();
@@ -846,85 +848,85 @@
public Object nextElement()
{
- Entry<String,Object> entry = (Entry<String, Object>) iter.next();
+ Entry<String, Object> entry = (Entry<String, Object>) iter.next();
return entry.getKey();
}
};
}
public int getMajorVersion()
- {
+ {
return 0;
}
public String getMimeType(String arg0)
- {
+ {
throw new RuntimeException("NYI");
}
public int getMinorVersion()
- {
+ {
return 0;
}
public RequestDispatcher getNamedDispatcher(String arg0)
- {
+ {
throw new RuntimeException("NYI");
}
public String getRealPath(String arg0)
- {
+ {
return null;
}
public RequestDispatcher getRequestDispatcher(String arg0)
- {
+ {
return new RequestDispatcher()
{
-
+
public void include(ServletRequest arg0, ServletResponse arg1) throws ServletException, IOException
- {
+ {
}
-
+
public void forward(ServletRequest arg0, ServletResponse arg1) throws ServletException, IOException
- {
+ {
}
};
}
public URL getResource(String arg0) throws MalformedURLException
- {
+ {
throw new RuntimeException("NYI");
}
public InputStream getResourceAsStream(String arg0)
{
- ClassLoader tcl = Thread.currentThread().getContextClassLoader();
- return tcl.getResourceAsStream( arg0 );
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+ return tcl.getResourceAsStream(arg0);
}
public Set getResourcePaths(String arg0)
- {
+ {
throw new RuntimeException("NYI");
}
public String getServerInfo()
- {
+ {
throw new RuntimeException("NYI");
}
public Servlet getServlet(String arg0) throws ServletException
- {
+ {
throw new RuntimeException("NYI");
}
public String getServletContextName()
- {
+ {
throw new RuntimeException("NYI");
}
public Enumeration getServletNames()
- {
+ {
throw new RuntimeException("NYI");
}
@@ -934,15 +936,15 @@
}
public void log(String arg0)
- {
+ {
}
public void log(Exception arg0, String arg1)
- {
+ {
}
public void log(String arg0, Throwable arg1)
- {
+ {
}
public void removeAttribute(String arg0)
@@ -951,7 +953,7 @@
}
public void setAttribute(String arg0, Object arg1)
- {
+ {
this.attribs.put(arg0, arg1);
}
}
\ No newline at end of file
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 15:54:08 UTC (rev 1139)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-07-28 16:17:34 UTC (rev 1140)
@@ -60,6 +60,8 @@
String KEYPAIR = "KEYPAIR";
+ String LOGIN_TYPE = "LOGIN_TYPE";
+
String LOGOUT_PAGE = "LOGOUT_PAGE";
String LOGOUT_PAGE_NAME = "/logout.jsp";
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 15:54:08 UTC (rev 1139)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-07-28 16:17:34 UTC (rev 1140)
@@ -238,6 +238,8 @@
Document samlResponseDocument = null;
+ String authMethod = (String) request.getOptions().get(GeneralConstants.LOGIN_TYPE);
+
if (trace)
log.trace("AssertionConsumerURL=" + assertionConsumerURL + "::assertion validity=" + assertionValidity);
ResponseType responseType = null;
@@ -275,8 +277,12 @@
//Create an AuthnStatementType
if (handlerConfig.getParameter(DISABLE_AUTHN_STATEMENT) == null)
{
+ String authContextRef = JBossSAMLURIConstants.AC_PASSWORD.get();
+ if (StringUtil.isNotNull(authMethod))
+ authContextRef = authMethod;
+
AuthnStatementType authnStatement = StatementUtil.createAuthnStatement(XMLTimeUtil.getIssueInstant(),
- JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get());
+ authContextRef);
assertion.addStatement(authnStatement);
}
13 years, 5 months
Picketlink SVN: r1139 - integration-tests/trunk/ant-scripts.
by picketlink-commits@lists.jboss.org
Author: anil.saldhana(a)jboss.com
Date: 2011-07-28 11:54:08 -0400 (Thu, 28 Jul 2011)
New Revision: 1139
Modified:
integration-tests/trunk/ant-scripts/ant-build.xml
Log:
add claims war to tc
Modified: integration-tests/trunk/ant-scripts/ant-build.xml
===================================================================
--- integration-tests/trunk/ant-scripts/ant-build.xml 2011-07-28 15:26:45 UTC (rev 1138)
+++ integration-tests/trunk/ant-scripts/ant-build.xml 2011-07-28 15:54:08 UTC (rev 1139)
@@ -52,6 +52,9 @@
</fileset>
</move>
+ <copy file="${basedir}/../picketlink-int-webapps/claims/target/claims.war" todir="${TOMCAT6_DEPLOY}"/>
+
+
<copy file="${basedir}/../common-dist/tomcat/tomcat-users.xml"
todir="${TOMCAT6}/conf" />
<copy file="${basedir}/../common-dist/tomcat/log4j.xml"
13 years, 5 months