[picketlink-commits] Picketlink SVN: r666 - in federation/trunk: picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util and 1 other directories.

Wednesday, 26 January 2011


Author: anil.saldhana(a)jboss.com
Date: 2011-01-26 22:59:39 -0500 (Wed, 26 Jan 2011)
New Revision: 666

Modified:
  
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
  
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java
  
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-123:  SAML2 auth response should contain the AuthnStatement

Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java	2011-01-27
03:59:06 UTC (rev 665)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java	2011-01-27
03:59:39 UTC (rev 666)
@@ -32,6 +32,10 @@
  */
 public interface SAML2Handler
 { 
+   //Define some constants
+   String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT";
+   String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
+   
    /**
     * Processing Point - idp side 
     * or service side

Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java	2011-01-27
03:59:06 UTC (rev 665)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java	2011-01-27
03:59:39 UTC (rev 666)
@@ -21,11 +21,13 @@
  */
 package org.picketlink.identity.federation.core.saml.v2.util;
 
+import java.net.URI;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
 import org.picketlink.identity.federation.core.constants.AttributeConstants;
@@ -34,6 +36,10 @@
 import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
 import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
+import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnContextClassRefType;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnContextType;
+import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnContextType.AuthnContextTypeSequence;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnStatementType;
 
 /**
  * Deals with SAML2 Statements
@@ -42,9 +48,31 @@
  */
 public class StatementUtil
 {
-   public static final QName X500_QNAME = new
QName(JBossSAMLURIConstants.X500_NSURI.get(), "Encoding",
JBossSAMLURIConstants.X500_PREFIX.get()); 
-
+   public static final QName X500_QNAME = new
QName(JBossSAMLURIConstants.X500_NSURI.get(), "Encoding",
JBossSAMLURIConstants.X500_PREFIX.get());
+   
    /**
+    * Create an AuthnStatementType given the issue instant and the type of
authentication
+    * @param instant an instanceof {@link XMLGregorianCalendar}
+    * @param authnContextClassRefValue indicate the type of authentication performed
+    * @return {@link AuthnStatementType}
+    */
+   public static AuthnStatementType createAuthnStatement( XMLGregorianCalendar instant,
String authnContextClassRefValue )
+   {
+      AuthnStatementType authnStatement = new AuthnStatementType( instant );
+      
+      AuthnContextType authnContext = new AuthnContextType();
+      AuthnContextClassRefType authnContextClassRef = new AuthnContextClassRefType(
URI.create( authnContextClassRefValue ));
+      
+      AuthnContextTypeSequence sequence = (authnContext).new AuthnContextTypeSequence();
+      sequence.setClassRef( authnContextClassRef );
+      authnContext.setSequence( sequence );
+      
+      authnStatement.setAuthnContext( authnContext );
+      
+      return authnStatement;
+   }
+   
+   /**
     * Create an attribute statement with all the attributes
     * @param attributes a map with keys from {@link AttributeConstants}
     * @return

Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java	2011-01-27
03:59:06 UTC (rev 665)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java	2011-01-27
03:59:39 UTC (rev 666)
@@ -39,19 +39,21 @@
 import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
 import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
 import
org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
-import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
 import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder;
 import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
 import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
 import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE;
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
 import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
 import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
+import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
 import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
 import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnStatementType;
 import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.EncryptedAssertionType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.NameIDType;
 import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.StatementAbstractType;
@@ -69,7 +71,15 @@
 import org.w3c.dom.Node;
 
 /**
+ * <p>
  * Handles for dealing with SAML2 Authentication
+ * </p>
+ * <p>
+ * Configuration Options:
+ * @see SAML2Handler#DISABLE_AUTHN_STATEMENT  Setting a value will disable the generation
of an AuthnStatement
+ * @see SAML2Handler#DISABLE_SENDING_ROLES Setting any value will disable the generation
and return of roles to SP
+ * </p>
+ * 
  * @author Anil.Saldhana(a)redhat.com
  * @since Oct 8, 2009
  */
@@ -245,11 +255,19 @@
          //Add information on the roles
          AssertionType assertion = (AssertionType)
responseType.getAssertions().get(0).getAssertion();
 
-         AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
-         assertion.addStatement( attrStatement );
+         //Create an AuthnStatementType
+         if( handlerConfig.getParameter( DISABLE_AUTHN_STATEMENT ) == null )
+         {
+            AuthnStatementType authnStatement =
+               StatementUtil.createAuthnStatement( XMLTimeUtil.getIssueInstant(),
JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get() );
+           assertion.addStatement( authnStatement ); 
+         }
          
-         /*//Add timed conditions
-         saml2Response.createTimedConditions(assertion, assertionValidity);*/
+         if( handlerConfig.getParameter( DISABLE_SENDING_ROLES ) == null )
+         {
+            AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
+            assertion.addStatement( attrStatement ); 
+         }
 
          //Add in the attributes information
          if(attribs != null && attribs.size() > 0 )
@@ -286,84 +304,7 @@
                log.trace(e); 
          } 
          return samlResponseDocument; 
-      }
-      
-      @SuppressWarnings("unused")
-      @Deprecated
-      public Document getResponse( String assertionConsumerURL,
-            Principal userPrincipal,
-            List<String> roles, 
-            String identityURL,
-            Map<String, Object> attribs, 
-            long assertionValidity, String requestID) 
-      throws ConfigurationException, IssueInstantMissingException, ProcessingException
-      {
-         Document samlResponseDocument = null;
-         
-         if(trace) 
-            log.trace("AssertionConsumerURL=" + assertionConsumerURL + 
-               "::assertion validity=" + assertionValidity);
-         ResponseType responseType = null;     
-         
-         SAML2Response saml2Response = new SAML2Response();
-               
-         //Create a response type
-         String id = IDGenerator.create("ID_");
-
-         IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL); 
-         issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
-
-         IDPInfoHolder idp = new IDPInfoHolder();
-         idp.setNameIDFormatValue(userPrincipal.getName());
-         idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
-
-         SPInfoHolder sp = new SPInfoHolder();
-         sp.setResponseDestinationURI(assertionConsumerURL);
-         sp.setRequestID(requestID);
-         responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
-         
-         //Add information on the roles
-         AssertionType assertion = (AssertionType)
responseType.getAssertions().get(0).getAssertion();
-
-         AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
-         assertion.addStatement( attrStatement );
-         
-         /*//Add timed conditions
-         saml2Response.createTimedConditions(assertion, assertionValidity);*/
-
-         //Add in the attributes information
-         if(attribs != null && attribs.size() > 0 )
-         {
-            AttributeStatementType attStatement =
StatementUtil.createAttributeStatement(attribs);
-            assertion.addStatement( attStatement );
-         } 
-    
-         //Lets see how the response looks like 
-         if(log.isTraceEnabled())
-         {
-            StringWriter sw = new StringWriter();
-            try
-            {
-               saml2Response.marshall(responseType, sw);
-            }
-            catch ( ProcessingException e)
-            {
-               log.trace(e);
-            } 
-            log.trace("Response="+sw.toString()); 
-         }
-         try
-         {
-            samlResponseDocument = saml2Response.convert(responseType);
-         }
-         catch (Exception e)
-         {
-            e.printStackTrace();
-            if(trace)
-               log.trace(e); 
-         } 
-         return samlResponseDocument; 
-      }
+      } 
    }
    
    private class SPAuthenticationHandler


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[picketlink-commits] Picketlink SVN: r666 - in federation/trunk: picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util and 1 other directories.