Author: anil.saldhana(a)jboss.com
Date: 2011-03-15 13:14:01 -0400 (Tue, 15 Mar 2011)
New Revision: 812
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
Log:
remove unused code
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-03-15
16:39:35 UTC (rev 811)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-03-15
17:14:01 UTC (rev 812)
@@ -103,7 +103,6 @@
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.w3c.dom.Document;
-
/**
* Generic Web Browser SSO valve for the IDP
*
@@ -115,59 +114,60 @@
*/
public class IDPWebBrowserSSOValve extends ValveBase implements Lifecycle
{
- private static Logger log = Logger.getLogger(IDPWebBrowserSSOValve.class);
- private boolean trace = log.isTraceEnabled();
-
+ private static Logger log = Logger.getLogger(IDPWebBrowserSSOValve.class);
+
+ private final boolean trace = log.isTraceEnabled();
+
protected IDPType idpConfiguration = null;
-
+
private RoleGenerator roleGenerator = new TomcatRoleGenerator();
private long assertionValidity = 5000; // 5 seconds in miliseconds
-
+
private String identityURL = null;
-
+
private TrustKeyManager keyManager;
-
+
private Boolean ignoreIncomingSignatures = false;
private Boolean signOutgoingMessages = true;
private transient DelegatedAttributeManager attribManager = new
DelegatedAttributeManager();
- private List<String> attributeKeys = new ArrayList<String>();
-
+
+ private final List<String> attributeKeys = new ArrayList<String>();
+
private transient SAML2HandlerChain chain = null;
-
+
private Context context = null;
-
- private transient String samlHandlerChainClass = null;
-
+ private transient String samlHandlerChainClass = null;
+
protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
-
+
/**
* If the user wants to set a particular {@link IdentityParticipantStack}
*/
protected String identityParticipantStack = null;
-
+
/**
* A Lock for Handler operations in the chain
*/
- private Lock chainLock = new ReentrantLock();
-
+ private final Lock chainLock = new ReentrantLock();
+
//Set a list of attributes we are interested in separated by comma
public void setAttributeList(String attribList)
- {
- if(attribList != null && !"".equals(attribList))
+ {
+ if (attribList != null && !"".equals(attribList))
{
this.attributeKeys.clear();
- StringTokenizer st = new StringTokenizer(attribList,",");
- while(st != null && st.hasMoreTokens())
+ StringTokenizer st = new StringTokenizer(attribList, ",");
+ while (st != null && st.hasMoreTokens())
{
this.attributeKeys.add(st.nextToken());
}
}
}
-
+
public Boolean getIgnoreIncomingSignatures()
{
return ignoreIncomingSignatures;
@@ -177,15 +177,15 @@
{
this.ignoreIncomingSignatures = ignoreIncomingSignature;
}
-
+
/**
* IDP should not do any attributes such as generation of roles etc
* @param ignoreAttributes
*/
public void setIgnoreAttributesGeneration(Boolean ignoreAttributes)
{
- if( ignoreAttributes == Boolean.TRUE )
- this.attribManager = null;
+ if (ignoreAttributes == Boolean.TRUE)
+ this.attribManager = null;
}
public Boolean getSignOutgoingMessages()
@@ -197,7 +197,7 @@
{
this.signOutgoingMessages = signOutgoingMessages;
}
-
+
public void setRoleGenerator(String rgName)
{
try
@@ -208,15 +208,15 @@
catch (Exception e)
{
throw new RuntimeException(e);
- }
- }
-
+ }
+ }
+
public void setSamlHandlerChainClass(String samlHandlerChainClass)
{
this.samlHandlerChainClass = samlHandlerChainClass;
}
-
- public void setIdentityParticipantStack( String fqn )
+
+ public void setIdentityParticipantStack(String fqn)
{
this.identityParticipantStack = fqn;
}
@@ -224,99 +224,91 @@
@Override
public void invoke(Request request, Response response) throws IOException,
ServletException
{
- String referer = request.getHeader("Referer");
+ String referer = request.getHeader("Referer");
String relayState = request.getParameter(GeneralConstants.RELAY_STATE);
- if(isNotNull(relayState))
+ if (isNotNull(relayState))
relayState = RedirectBindingUtil.urlDecode(relayState);
-
+
String samlRequestMessage =
request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
String samlResponseMessage =
request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
String signature = request.getParameter("Signature");
- String sigAlg = request.getParameter("SigAlg");
-
- boolean containsSAMLRequestMessage = isNotNull(samlRequestMessage);
- boolean containsSAMLResponseMessage = isNotNull(samlResponseMessage);
-
- Session session = request.getSessionInternal();
-
- if(containsSAMLRequestMessage || containsSAMLResponseMessage)
+ String sigAlg = request.getParameter("SigAlg");
+
+ boolean containsSAMLRequestMessage = isNotNull(samlRequestMessage);
+ boolean containsSAMLResponseMessage = isNotNull(samlResponseMessage);
+
+ Session session = request.getSessionInternal();
+
+ if (containsSAMLRequestMessage || containsSAMLResponseMessage)
{
- if(trace) log.trace("Storing the SAMLRequest/SAMLResponse and RelayState in
session");
- if(isNotNull(samlRequestMessage))
- session.setNote(GeneralConstants.SAML_REQUEST_KEY, samlRequestMessage);
- if(isNotNull(samlResponseMessage))
- session.setNote(GeneralConstants.SAML_RESPONSE_KEY, samlResponseMessage);
- if(isNotNull(relayState))
+ if (trace)
+ log.trace("Storing the SAMLRequest/SAMLResponse and RelayState in
session");
+ if (isNotNull(samlRequestMessage))
+ session.setNote(GeneralConstants.SAML_REQUEST_KEY, samlRequestMessage);
+ if (isNotNull(samlResponseMessage))
+ session.setNote(GeneralConstants.SAML_RESPONSE_KEY, samlResponseMessage);
+ if (isNotNull(relayState))
session.setNote(GeneralConstants.RELAY_STATE, relayState.trim());
- if(isNotNull(signature))
+ if (isNotNull(signature))
session.setNote("Signature", signature.trim());
- if(isNotNull(sigAlg))
+ if (isNotNull(sigAlg))
session.setNote("sigAlg", sigAlg.trim());
- }
-
+ }
+
//Lets check if the user has been authenticated
Principal userPrincipal = request.getPrincipal();
- if(userPrincipal == null)
+ if (userPrincipal == null)
{
try
{
//Next in the invocation chain
- getNext().invoke(request, response);
+ getNext().invoke(request, response);
}
finally
{
userPrincipal = request.getPrincipal();
referer = request.getHeader("Referer");
- if(trace)
- log.trace("Referer in finally block="+ referer + ":user
principal=" + userPrincipal);
+ if (trace)
+ log.trace("Referer in finally block=" + referer + ":user
principal=" + userPrincipal);
}
}
-
-
+
IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration,
keyManager);
- webRequestUtil.setAttributeManager(this.attribManager);
- webRequestUtil.setAttributeKeys(attributeKeys);
-
+
Document samlErrorResponse = null;
//Look for unauthorized status
- if(response.getStatus() == HttpServletResponse.SC_FORBIDDEN)
+ if (response.getStatus() == HttpServletResponse.SC_FORBIDDEN)
{
try
{
- samlErrorResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
-
+ samlErrorResponse = webRequestUtil.getErrorResponse(referer,
+ JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(), this.identityURL,
this.signOutgoingMessages);
+
WebRequestUtilHolder holder = webRequestUtil.getHolder();
-
holder.setResponseDoc(samlErrorResponse).setDestination(referer).setRelayState(relayState).setAreWeSendingRequest(false)
-
.setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
- holder.setPostBindingRequested( webRequestUtil.hasSAMLRequestInPostProfile()
);
-
- if(this.signOutgoingMessages)
+
holder.setResponseDoc(samlErrorResponse).setDestination(referer).setRelayState(relayState)
+
.setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false)
+ .setServletResponse(response);
+
holder.setPostBindingRequested(webRequestUtil.hasSAMLRequestInPostProfile());
+
+ if (this.signOutgoingMessages)
{
- holder.setSupportSignature(true).setPrivateKey( keyManager.getSigningKey()
);
+
holder.setSupportSignature(true).setPrivateKey(keyManager.getSigningKey());
webRequestUtil.send(holder);
//webRequestUtil.send(samlErrorResponse, referer, relayState, response,
true,
//this.keyManager.getSigningKey(), false);
- }
- else
- {
- // webRequestUtil.send(samlErrorResponse, referer,relayState, response,
false,null, false);
-
}
- webRequestUtil.send(holder);
- }
+ webRequestUtil.send(holder);
+ }
catch (GeneralSecurityException e)
{
throw new ServletException(e);
- }
+ }
return;
- }
-
- if(userPrincipal != null)
+ }
+
+ if (userPrincipal != null)
{
/**
* Since the container has finished the authentication,
@@ -329,30 +321,30 @@
relayState = (String) session.getNote(GeneralConstants.RELAY_STATE);
signature = (String) session.getNote("Signature");
sigAlg = (String) session.getNote("sigAlg");
-
- if(trace)
+
+ if (trace)
{
StringBuilder builder = new StringBuilder();
builder.append("Retrieved saml messages and relay state from
session");
builder.append("saml Request
message=").append(samlRequestMessage);
builder.append("::").append("SAMLResponseMessage=");
builder.append(samlResponseMessage).append(":").append("relay
state=").append(relayState);
-
+
builder.append("Signature=").append(signature).append("::sigAlg=").append(sigAlg);
log.trace(builder.toString());
}
-
- if(isNotNull(samlRequestMessage))
- session.removeNote(GeneralConstants.SAML_REQUEST_KEY);
- if(isNotNull(samlResponseMessage))
+
+ if (isNotNull(samlRequestMessage))
+ session.removeNote(GeneralConstants.SAML_REQUEST_KEY);
+ if (isNotNull(samlResponseMessage))
session.removeNote(GeneralConstants.SAML_RESPONSE_KEY);
-
- if(isNotNull(relayState))
+
+ if (isNotNull(relayState))
session.removeNote(GeneralConstants.RELAY_STATE);
-
- if(isNotNull(signature))
+
+ if (isNotNull(signature))
session.removeNote("Signature");
- if(isNotNull(sigAlg))
+ if (isNotNull(sigAlg))
session.removeNote("sigAlg");
boolean willSendRequest = false;
@@ -362,262 +354,250 @@
Document samlResponse = null;
String destination = null;
-
+
Boolean requestedPostProfile = null;
-
-
+
//Send valid saml response after processing the request
- if(samlRequestMessage != null)
+ if (samlRequestMessage != null)
{
//Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
-
- try
+ RequestAbstractType requestAbstractType = null;
+
+ try
+ {
+ samlDocumentHolder =
webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
+ samlObject = samlDocumentHolder.getSamlObject();
+
+ boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
+ boolean isValid = validate(request.getRemoteAddr(),
request.getQueryString(), new SessionHolder(
+ samlRequestMessage, signature, sigAlg), isPost);
+
+ if (!isValid)
+ throw new GeneralSecurityException("Validation check
failed");
+
+ String issuer = null;
+ IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
+ ProtocolContext protocolContext = new HTTPContext(request, response,
context.getServletContext());
+ //Create the request/response
+ SAML2HandlerRequest saml2HandlerRequest = new
DefaultSAML2HandlerRequest(protocolContext,
+ idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP);
+ saml2HandlerRequest.setRelayState(relayState);
+
+ String assertionID = (String)
session.getSession().getAttribute(GeneralConstants.ASSERTION_ID);
+
+ //Set the options on the handler request
+ Map<String, Object> requestOptions = new HashMap<String,
Object>();
+ if (this.ignoreIncomingSignatures)
+ requestOptions.put(GeneralConstants.IGNORE_SIGNATURES, Boolean.TRUE);
+ requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
+ requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY,
this.assertionValidity);
+ requestOptions.put(GeneralConstants.CONFIGURATION,
this.idpConfiguration);
+ if (assertionID != null)
+ requestOptions.put(GeneralConstants.ASSERTION_ID, assertionID);
+
+ if (this.keyManager != null)
{
- samlDocumentHolder =
webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
- samlObject = (SAML2Object) samlDocumentHolder.getSamlObject();
-
-
- boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(),
- request.getQueryString(),
- new SessionHolder(samlRequestMessage, signature, sigAlg),
isPost);
-
- if(!isValid)
- throw new GeneralSecurityException("Validation check
failed");
+ String remoteHost = request.getRemoteAddr();
+ if (trace)
+ {
+ log.trace("Remote Host=" + remoteHost);
+ }
+ PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager,
remoteHost);
+ requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey);
+ requestOptions.put(GeneralConstants.DECRYPTING_KEY,
keyManager.getSigningKey());
+ }
- String issuer = null;
- IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
- ProtocolContext protocolContext = new HTTPContext(request,response,
context.getServletContext());
- //Create the request/response
- SAML2HandlerRequest saml2HandlerRequest =
- new DefaultSAML2HandlerRequest(protocolContext,
- idpIssuer.getIssuer(), samlDocumentHolder,
- HANDLER_TYPE.IDP);
- saml2HandlerRequest.setRelayState(relayState);
-
- String assertionID = (String) session.getSession().getAttribute(
GeneralConstants.ASSERTION_ID );
-
- //Set the options on the handler request
- Map<String, Object> requestOptions = new HashMap<String,
Object>();
- if(this.ignoreIncomingSignatures)
- requestOptions.put(GeneralConstants.IGNORE_SIGNATURES,
Boolean.TRUE);
- requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
- requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY,
this.assertionValidity);
- requestOptions.put(GeneralConstants.CONFIGURATION,
this.idpConfiguration);
- if( assertionID != null )
- requestOptions.put(GeneralConstants.ASSERTION_ID, assertionID );
-
- if(this.keyManager != null)
+ Map<String, Object> attribs =
this.attribManager.getAttributes(userPrincipal, attributeKeys);
+ requestOptions.put(GeneralConstants.ATTRIBUTES, attribs);
+
+ saml2HandlerRequest.setOptions(requestOptions);
+
+ List<String> roles = roleGenerator.generateRoles(userPrincipal);
+ session.getSession().setAttribute(GeneralConstants.ROLES_ID, roles);
+
+ SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+
+ Set<SAML2Handler> handlers = chain.handlers();
+
+ if (trace)
+ {
+ log.trace("Handlers are=" + handlers);
+ }
+
+ if (samlObject instanceof RequestAbstractType)
+ {
+ requestAbstractType = (RequestAbstractType) samlObject;
+ issuer = requestAbstractType.getIssuer().getValue();
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- String remoteHost = request.getRemoteAddr();
- if(trace)
+ try
{
- log.trace("Remote Host=" + remoteHost);
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
+ {
+ handler.handleRequestType(saml2HandlerRequest,
saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
+ }
}
- PublicKey validatingKey =
CoreConfigUtil.getValidatingKey(keyManager, remoteHost );
- requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY,
validatingKey);
- requestOptions.put( GeneralConstants.DECRYPTING_KEY,
keyManager.getSigningKey() );
+ finally
+ {
+ chainLock.unlock();
+ }
}
-
- Map<String,Object> attribs =
this.attribManager.getAttributes(userPrincipal, attributeKeys);
- requestOptions.put(GeneralConstants.ATTRIBUTES, attribs);
-
- saml2HandlerRequest.setOptions(requestOptions);
-
- List<String> roles = roleGenerator.generateRoles(userPrincipal);
- session.getSession().setAttribute(GeneralConstants.ROLES_ID, roles);
-
- SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+ }
+ else
+ throw new RuntimeException("Unknown type:" +
samlObject.getClass().getName());
- Set<SAML2Handler> handlers = chain.handlers();
-
- if(trace)
+ samlResponse = saml2HandlerResponse.getResultingDocument();
+ relayState = saml2HandlerResponse.getRelayState();
+
+ destination = saml2HandlerResponse.getDestination();
+
+ requestedPostProfile = saml2HandlerResponse.isPostBindingForResponse();
+ }
+ catch (IssuerNotTrustedException e)
+ {
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
+ JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL,
this.signOutgoingMessages);
+ }
+ catch (ParsingException e)
+ {
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ catch (ConfigurationException e)
+ {
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ catch (IssueInstantMissingException e)
+ {
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ catch (GeneralSecurityException e)
+ {
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ catch (Exception e)
+ {
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ finally
+ {
+ try
+ {
+ boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile();
+ if (postProfile)
+ recycle(response);
+
+ WebRequestUtilHolder holder = webRequestUtil.getHolder();
+
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState)
+
.setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false)
+ .setServletResponse(response);
+
+ if (requestedPostProfile != null)
+ holder.setPostBindingRequested(requestedPostProfile);
+ else
+ holder.setPostBindingRequested(postProfile);
+
+ if (this.signOutgoingMessages)
{
- log.trace("Handlers are=" + handlers);
+
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
-
- if(samlObject instanceof RequestAbstractType)
- {
- requestAbstractType = (RequestAbstractType) samlObject;
- issuer = requestAbstractType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if(handlers != null)
- {
- try
- {
- chainLock.lock();
- for(SAML2Handler handler: handlers)
- {
- handler.handleRequestType(saml2HandlerRequest,
saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
- }
- finally
- {
- chainLock.unlock();
- }
- }
- }
- else
- throw new RuntimeException("Unknown type:" +
samlObject.getClass().getName());
- samlResponse = saml2HandlerResponse.getResultingDocument();
- relayState = saml2HandlerResponse.getRelayState();
-
- destination = saml2HandlerResponse.getDestination();
-
- requestedPostProfile = saml2HandlerResponse.isPostBindingForResponse();
+ webRequestUtil.send(holder);
}
- catch (IssuerNotTrustedException e)
- {
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(),
- this.identityURL, this.signOutgoingMessages);
- }
catch (ParsingException e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Parsing exception:", e);
}
- catch (ConfigurationException e)
+ catch (GeneralSecurityException e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Security Exception:", e);
}
- catch (IssueInstantMissingException e)
- {
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
- }
- catch(GeneralSecurityException e)
- {
- if(trace) log.trace("Exception in processing request:", e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
- }
- catch(Exception e)
- {
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
- }
- finally
- {
- try
- {
- boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile();
- if( postProfile )
- recycle(response);
-
-
- WebRequestUtilHolder holder = webRequestUtil.getHolder();
-
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest(willSendRequest)
-
.setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
-
- if( requestedPostProfile != null )
- holder.setPostBindingRequested( requestedPostProfile );
- else
- holder.setPostBindingRequested(postProfile);
-
- if(this.signOutgoingMessages)
- {
- holder.setPrivateKey( keyManager.getSigningKey()
).setSupportSignature( true );
- }
-
- webRequestUtil.send(holder);
- }
- catch (ParsingException e)
- {
- if(trace) log.trace("Parsing exception:", e);
- }
- catch (GeneralSecurityException e)
- {
- if(trace) log.trace("Security Exception:",e);
- }
- }
+ }
return;
}
- else if(isNotNull(samlResponseMessage))
+ else if (isNotNull(samlResponseMessage))
{
StatusResponseType statusResponseType = null;
try
{
samlDocumentHolder =
webRequestUtil.getSAMLDocumentHolder(samlResponseMessage);
- samlObject = (SAML2Object) samlDocumentHolder.getSamlObject();
-
+ samlObject = samlDocumentHolder.getSamlObject();
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
boolean isValid = false;
-
+
String remoteAddress = request.getRemoteAddr();
-
- if(isPost)
+
+ if (isPost)
{
//Validate
- SAML2Signature samlSignature = new SAML2Signature();
-
- if( ignoreIncomingSignatures == false && signOutgoingMessages
== true )
+ SAML2Signature samlSignature = new SAML2Signature();
+
+ if (ignoreIncomingSignatures == false && signOutgoingMessages
== true)
{
PublicKey publicKey = keyManager.getValidatingKey(remoteAddress);
- isValid =
samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey);
+ isValid =
samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey);
}
else
isValid = true;
}
else
- {
- isValid = validate(remoteAddress,
- request.getQueryString(),
- new SessionHolder(samlResponseMessage, signature, sigAlg),
isPost);
+ {
+ isValid = validate(remoteAddress, request.getQueryString(), new
SessionHolder(samlResponseMessage,
+ signature, sigAlg), isPost);
}
-
- if(!isValid)
+
+ if (!isValid)
throw new GeneralSecurityException("Validation check
failed");
String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
- ProtocolContext protocolContext = new HTTPContext(request,response,
context.getServletContext());
+ ProtocolContext protocolContext = new HTTPContext(request, response,
context.getServletContext());
//Create the request/response
- SAML2HandlerRequest saml2HandlerRequest =
- new DefaultSAML2HandlerRequest(protocolContext,
- idpIssuer.getIssuer(), samlDocumentHolder,
- HANDLER_TYPE.IDP);
+ SAML2HandlerRequest saml2HandlerRequest = new
DefaultSAML2HandlerRequest(protocolContext,
+ idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP);
saml2HandlerRequest.setRelayState(relayState);
-
- SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+ SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+
Set<SAML2Handler> handlers = chain.handlers();
-
- if(samlObject instanceof StatusResponseType)
+
+ if (samlObject instanceof StatusResponseType)
{
statusResponseType = (StatusResponseType) samlObject;
issuer = statusResponseType.getIssuer().getValue();
webRequestUtil.isTrusted(issuer);
-
- if(handlers != null)
- {
+
+ if (handlers != null)
+ {
try
{
chainLock.lock();
@@ -631,149 +611,147 @@
finally
{
chainLock.unlock();
- }
- }
+ }
+ }
}
else
throw new RuntimeException("Unknown type:" +
samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
-
+
destination = saml2HandlerResponse.getDestination();
requestedPostProfile = saml2HandlerResponse.isPostBindingForResponse();
}
catch (IssuerNotTrustedException e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
+ JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL,
this.signOutgoingMessages);
}
catch (ParsingException e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
catch (ConfigurationException e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
catch (IssueInstantMissingException e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
- }
- catch(GeneralSecurityException e)
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ catch (GeneralSecurityException e)
{
- if(trace) log.trace("Exception in processing request:", e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
- catch(Exception e)
+ catch (Exception e)
{
- if(trace) log.trace("Exception in processing request:",e);
-
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("Exception in processing request:", e);
+
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
finally
{
try
{
- boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile();
- if( postProfile )
+ boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile();
+ if (postProfile)
recycle(response);
-
+
WebRequestUtilHolder holder = webRequestUtil.getHolder();
-
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest(willSendRequest)
-
.setPrivateKey(null).setSupportSignature(false).setServletResponse(response).setPostBindingRequested(
requestedPostProfile );
-
- if( requestedPostProfile != null )
- holder.setPostBindingRequested( requestedPostProfile );
+
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState)
+
.setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false)
+
.setServletResponse(response).setPostBindingRequested(requestedPostProfile);
+
+ if (requestedPostProfile != null)
+ holder.setPostBindingRequested(requestedPostProfile);
else
holder.setPostBindingRequested(postProfile);
-
-
- if(this.signOutgoingMessages)
- {
- holder.setPrivateKey( keyManager.getSigningKey()
).setSupportSignature( true );
- }
- webRequestUtil.send( holder );
+
+ if (this.signOutgoingMessages)
+ {
+
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
+ }
+ webRequestUtil.send(holder);
}
catch (ParsingException e)
{
- if(trace) log.trace("Parsing exception:", e);
- }
+ if (trace)
+ log.trace("Parsing exception:", e);
+ }
catch (GeneralSecurityException e)
{
- if(trace) log.trace("Security Exception:",e);
+ if (trace)
+ log.trace("Security Exception:", e);
}
- }
- return;
+ }
+ return;
}
else
{
log.error("No SAML Request or Response Message");
- if(trace) log.trace("Referer="+referer);
-
+ if (trace)
+ log.trace("Referer=" + referer);
+
try
{
sendErrorResponseToSP(referer, response, relayState, webRequestUtil);
}
catch (ConfigurationException e)
{
- if(trace) log.trace(e);
- }
- }
- }
+ if (trace)
+ log.trace(e);
+ }
+ }
+ }
}
-
+
protected void sendErrorResponseToSP(String referrer, Response response, String
relayState,
IDPWebRequestUtil webRequestUtil) throws ServletException, IOException,
ConfigurationException
{
- if(trace) log.trace("About to send error response to SP:" + referrer);
-
- Document samlResponse =
- webRequestUtil.getErrorResponse(referrer,
JBossSAMLURIConstants.STATUS_RESPONDER.get(),
- this.identityURL, this.signOutgoingMessages);
+ if (trace)
+ log.trace("About to send error response to SP:" + referrer);
+
+ Document samlResponse = webRequestUtil.getErrorResponse(referrer,
JBossSAMLURIConstants.STATUS_RESPONDER.get(),
+ this.identityURL, this.signOutgoingMessages);
try
{
- boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile();
- if( postProfile )
+ boolean postProfile = webRequestUtil.hasSAMLRequestInPostProfile();
+ if (postProfile)
recycle(response);
-
WebRequestUtilHolder holder = webRequestUtil.getHolder();
-
holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState).setAreWeSendingRequest(
false )
- .setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
+
holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState)
+
.setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false)
+ .setServletResponse(response);
holder.setPostBindingRequested(postProfile);
-
- if(this.signOutgoingMessages)
- {
+
+ if (this.signOutgoingMessages)
+ {
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
- }
+ }
webRequestUtil.send(holder);
}
catch (ParsingException e1)
@@ -781,15 +759,14 @@
throw new ServletException(e1);
}
catch (GeneralSecurityException e)
- {
+ {
throw new ServletException(e);
- }
+ }
}
-
- protected boolean validate(String remoteAddress,
- String queryString,
- SessionHolder holder, boolean isPost) throws IOException,
GeneralSecurityException
- {
+
+ protected boolean validate(String remoteAddress, String queryString, SessionHolder
holder, boolean isPost)
+ throws IOException, GeneralSecurityException
+ {
if (!isNotNull(holder.samlRequest))
{
return false;
@@ -803,12 +780,12 @@
log.error("Signature received from SP is null:" + remoteAddress);
return false;
}
-
+
//Check if there is a signature
byte[] sigValue =
RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
- if(sigValue == null)
+ if (sigValue == null)
return false;
-
+
PublicKey validatingKey;
try
{
@@ -822,7 +799,7 @@
{
throw new GeneralSecurityException(e.getCause());
}
-
+
return RedirectBindingSignatureUtil.validateSignature(queryString,
validatingKey, sigValue);
}
else
@@ -831,7 +808,7 @@
return true;
}
}
-
+
//***************Lifecycle
/**
* The lifecycle event support for this component.
@@ -848,33 +825,30 @@
*
* @param listener The listener to add
*/
- public void addLifecycleListener(LifecycleListener listener)
+ public void addLifecycleListener(LifecycleListener listener)
{
- lifecycle.addLifecycleListener(listener);
+ lifecycle.addLifecycleListener(listener);
}
-
/**
* Get the lifecycle listeners associated with this lifecycle. If this
* Lifecycle has no listeners registered, a zero-length array is returned.
*/
- public LifecycleListener[] findLifecycleListeners()
+ public LifecycleListener[] findLifecycleListeners()
{
- return lifecycle.findLifecycleListeners();
+ return lifecycle.findLifecycleListeners();
}
-
/**
* Remove a lifecycle event listener from this component.
*
* @param listener The listener to add
*/
- public void removeLifecycleListener(LifecycleListener listener)
+ public void removeLifecycleListener(LifecycleListener listener)
{
- lifecycle.removeLifecycleListener(listener);
+ lifecycle.removeLifecycleListener(listener);
}
-
/**
* Prepare for the beginning of active use of the public methods of this
* component. This method should be called after
<code>configure()</code>,
@@ -886,17 +860,16 @@
public void start() throws LifecycleException
{
Handlers handlers = null;
-
- // Validate and update our current component state
- if (started)
- throw new LifecycleException
- ("IDPWebBrowserSSOValve already Started");
- lifecycle.fireLifecycleEvent(START_EVENT, null);
- started = true;
-
- //Get the chain from config
- if(StringUtil.isNullOrEmpty(samlHandlerChainClass))
- chain = SAML2HandlerChainFactory.createChain();
+
+ // Validate and update our current component state
+ if (started)
+ throw new LifecycleException("IDPWebBrowserSSOValve already
Started");
+ lifecycle.fireLifecycleEvent(START_EVENT, null);
+ started = true;
+
+ //Get the chain from config
+ if (StringUtil.isNullOrEmpty(samlHandlerChainClass))
+ chain = SAML2HandlerChainFactory.createChain();
else
try
{
@@ -906,142 +879,144 @@
{
throw new LifecycleException(e1);
}
-
- String configFile = GeneralConstants.CONFIG_FILE_LOCATION;
-
- context = (Context) getContainer();
- InputStream is = context.getServletContext().getResourceAsStream(configFile);
- if(is == null)
- throw new RuntimeException(configFile + " missing");
- try
- {
- idpConfiguration = ConfigurationUtil.getIDPConfiguration(is);
- this.identityURL = idpConfiguration.getIdentityURL();
- if(trace) log.trace("Identity Provider URL=" + this.identityURL);
- this.assertionValidity = idpConfiguration.getAssertionValidity();
- this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod();
- log.info( "IDPWebBrowserSSOValve:: Setting the CanonicalizationMethod on
XMLSignatureUtil::" + canonicalizationMethod );
- XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod);
-
- //Get the attribute manager
- String attributeManager = idpConfiguration.getAttributeManager();
- if(attributeManager != null && !"".equals(attributeManager))
- {
- ClassLoader tcl = SecurityActions.getContextClassLoader();
- AttributeManager delegate = (AttributeManager)
tcl.loadClass(attributeManager).newInstance();
- this.attribManager.setDelegate(delegate);
- }
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
-
- //Ensure that the Core STS has the SAML20 Token Provider
- PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
- //Let us look for a file
- String configPath = context.getServletContext().getRealPath(
"/WEB-INF/picketlink-sts.xml" );
- File stsTokenConfigFile = configPath != null ? new File( configPath ) : null ;
-
- if( stsTokenConfigFile == null || stsTokenConfigFile.exists() == false )
- {
- log.info( "Did not find picketlink-sts.xml. We will install default
configuration" );
- sts.installDefaultConfiguration();
- }
- else
- sts.installDefaultConfiguration( configPath );
-
- if(this.signOutgoingMessages)
- {
- KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
- if(keyProvider == null)
- throw new LifecycleException("Key Provider is null for context=" +
context.getName());
-
- try
- {
- this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider);
-
- List<AuthPropertyType> authProperties =
CoreConfigUtil.getKeyProviderProperties(keyProvider);
- keyManager.setAuthProperties( authProperties );
- keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
- }
- catch(Exception e)
- {
- log.error("Exception reading configuration:",e);
- throw new LifecycleException(e.getLocalizedMessage());
- }
- if(trace) log.trace("Key Provider=" + keyProvider.getClassName());
- }
-
- try
- {
- //Get the handlers
- String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
- handlers =
ConfigurationUtil.getHandlers(context.getServletContext().getResourceAsStream(handlerConfigFileName));
- chain.addAll(HandlerUtil.getHandlers(handlers));
-
- Map<String, Object> chainConfigOptions = new HashMap<String,
Object>();
- chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
- chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration);
- chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod );
- if(this.keyManager != null)
+
+ String configFile = GeneralConstants.CONFIG_FILE_LOCATION;
+
+ context = (Context) getContainer();
+ InputStream is = context.getServletContext().getResourceAsStream(configFile);
+ if (is == null)
+ throw new RuntimeException(configFile + " missing");
+ try
+ {
+ idpConfiguration = ConfigurationUtil.getIDPConfiguration(is);
+ this.identityURL = idpConfiguration.getIdentityURL();
+ if (trace)
+ log.trace("Identity Provider URL=" + this.identityURL);
+ this.assertionValidity = idpConfiguration.getAssertionValidity();
+ this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod();
+ log.info("IDPWebBrowserSSOValve:: Setting the CanonicalizationMethod on
XMLSignatureUtil::"
+ + canonicalizationMethod);
+ XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod);
+
+ //Get the attribute manager
+ String attributeManager = idpConfiguration.getAttributeManager();
+ if (attributeManager != null && !"".equals(attributeManager))
+ {
+ ClassLoader tcl = SecurityActions.getContextClassLoader();
+ AttributeManager delegate = (AttributeManager)
tcl.loadClass(attributeManager).newInstance();
+ this.attribManager.setDelegate(delegate);
+ }
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ //Ensure that the Core STS has the SAML20 Token Provider
+ PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
+ //Let us look for a file
+ String configPath =
context.getServletContext().getRealPath("/WEB-INF/picketlink-sts.xml");
+ File stsTokenConfigFile = configPath != null ? new File(configPath) : null;
+
+ if (stsTokenConfigFile == null || stsTokenConfigFile.exists() == false)
+ {
+ log.info("Did not find picketlink-sts.xml. We will install default
configuration");
+ sts.installDefaultConfiguration();
+ }
+ else
+ sts.installDefaultConfiguration(configPath);
+
+ if (this.signOutgoingMessages)
+ {
+ KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
+ if (keyProvider == null)
+ throw new LifecycleException("Key Provider is null for context=" +
context.getName());
+
+ try
+ {
+ this.keyManager = CoreConfigUtil.getTrustKeyManager(keyProvider);
+
+ List<AuthPropertyType> authProperties =
CoreConfigUtil.getKeyProviderProperties(keyProvider);
+ keyManager.setAuthProperties(authProperties);
+ keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
+ }
+ catch (Exception e)
+ {
+ log.error("Exception reading configuration:", e);
+ throw new LifecycleException(e.getLocalizedMessage());
+ }
+ if (trace)
+ log.trace("Key Provider=" + keyProvider.getClassName());
+ }
+
+ try
+ {
+ //Get the handlers
+ String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
+ handlers = ConfigurationUtil.getHandlers(context.getServletContext()
+ .getResourceAsStream(handlerConfigFileName));
+ chain.addAll(HandlerUtil.getHandlers(handlers));
+
+ Map<String, Object> chainConfigOptions = new HashMap<String,
Object>();
+ chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
+ chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration);
+ chainConfigOptions.put(GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod);
+ if (this.keyManager != null)
chainConfigOptions.put(GeneralConstants.KEYPAIR,
keyManager.getSigningKeyPair());
-
- SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
-
- Set<SAML2Handler> samlHandlers = chain.handlers();
-
- for(SAML2Handler handler: samlHandlers)
- {
- handler.initChainConfig(handlerChainConfig);
- }
- }
- catch(Exception e)
- {
- log.error("Exception dealing with handler configuration:",e);
- throw new LifecycleException(e.getLocalizedMessage());
- }
-
- //Add some keys to the attibutes
- String[] ak = new String[]
{"mail","cn","commonname","givenname",
- "surname","employeeType",
- "employeeNumber",
- "facsimileTelephoneNumber"};
-
- this.attributeKeys.addAll(Arrays.asList(ak));
-
- //The Identity Server on the servlet context gets set
- //in the implementation of IdentityServer
- //Create an Identity Server and set it on the context
- IdentityServer identityServer = (IdentityServer)
context.getServletContext().getAttribute(GeneralConstants.IDENTITY_SERVER);
- if(identityServer == null)
- {
- identityServer = new IdentityServer();
- context.getServletContext().setAttribute(GeneralConstants.IDENTITY_SERVER,
identityServer);
- if( StringUtil.isNotNull( this.identityParticipantStack ))
- {
- try
+
+ SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
+
+ Set<SAML2Handler> samlHandlers = chain.handlers();
+
+ for (SAML2Handler handler : samlHandlers)
+ {
+ handler.initChainConfig(handlerChainConfig);
+ }
+ }
+ catch (Exception e)
+ {
+ log.error("Exception dealing with handler configuration:", e);
+ throw new LifecycleException(e.getLocalizedMessage());
+ }
+
+ //Add some keys to the attibutes
+ String[] ak = new String[]
+ {"mail", "cn", "commonname", "givenname",
"surname", "employeeType", "employeeNumber",
"facsimileTelephoneNumber"};
+
+ this.attributeKeys.addAll(Arrays.asList(ak));
+
+ //The Identity Server on the servlet context gets set
+ //in the implementation of IdentityServer
+ //Create an Identity Server and set it on the context
+ IdentityServer identityServer = (IdentityServer)
context.getServletContext().getAttribute(
+ GeneralConstants.IDENTITY_SERVER);
+ if (identityServer == null)
+ {
+ identityServer = new IdentityServer();
+ context.getServletContext().setAttribute(GeneralConstants.IDENTITY_SERVER,
identityServer);
+ if (StringUtil.isNotNull(this.identityParticipantStack))
+ {
+ try
{
- Class<?> stackClass =
SecurityActions.getContextClassLoader().loadClass( this.identityParticipantStack );
- identityServer.setStack( (IdentityParticipantStack)
stackClass.newInstance() );
+ Class<?> stackClass =
SecurityActions.getContextClassLoader().loadClass(this.identityParticipantStack);
+ identityServer.setStack((IdentityParticipantStack)
stackClass.newInstance());
}
catch (ClassNotFoundException e)
- {
- log.error( "Unable to set the Identity Participant Stack Class. Will
just use the default", e );
+ {
+ log.error("Unable to set the Identity Participant Stack Class. Will
just use the default", e);
}
catch (InstantiationException e)
{
- log.error( "Unable to set the Identity Participant Stack Class. Will
just use the default", e );
+ log.error("Unable to set the Identity Participant Stack Class. Will
just use the default", e);
}
catch (IllegalAccessException e)
{
- log.error( "Unable to set the Identity Participant Stack Class. Will
just use the default", e );
+ log.error("Unable to set the Identity Participant Stack Class. Will
just use the default", e);
}
- }
- }
+ }
+ }
}
-
/**
* Gracefully terminate the active use of the public methods of this
* component. This method should be the last one called on a given
@@ -1050,31 +1025,33 @@
* @exception LifecycleException if this component detects a fatal error
* that needs to be reported
*/
- public void stop() throws LifecycleException
+ public void stop() throws LifecycleException
{
- // Validate and update our current component state
- if (!started)
- throw new LifecycleException
- ("IDPWebBrowserSSOValve NotStarted");
- lifecycle.fireLifecycleEvent(STOP_EVENT, null);
- started = false;
- }
+ // Validate and update our current component state
+ if (!started)
+ throw new LifecycleException("IDPWebBrowserSSOValve NotStarted");
+ lifecycle.fireLifecycleEvent(STOP_EVENT, null);
+ started = false;
+ }
+
//Private Methods
-
+
protected static class SessionHolder
{
String samlRequest;
+
String signature;
- String sigAlg;
-
+
+ String sigAlg;
+
public SessionHolder(String req, String sig, String alg)
{
this.samlRequest = req;
this.signature = sig;
- this.sigAlg = alg;
+ this.sigAlg = alg;
}
}
-
+
private void recycle(Response response)
{
/**
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2011-03-15
16:39:35 UTC (rev 811)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2011-03-15
17:14:01 UTC (rev 812)
@@ -21,6 +21,8 @@
*/
package org.picketlink.identity.federation.web.servlets;
+import static org.picketlink.identity.federation.core.util.StringUtil.isNotNull;
+
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
@@ -67,11 +69,11 @@
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
+import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChain;
import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
-import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
-import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil;
import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
@@ -79,7 +81,7 @@
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.StatusResponseType;
-import org.picketlink.identity.federation.saml.v2.SAML2Object;
+import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.core.IdentityParticipantStack;
@@ -87,13 +89,10 @@
import org.picketlink.identity.federation.web.roles.DefaultRoleGenerator;
import org.picketlink.identity.federation.web.util.ConfigurationUtil;
import org.picketlink.identity.federation.web.util.IDPWebRequestUtil;
-import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import
org.picketlink.identity.federation.web.util.IDPWebRequestUtil.WebRequestUtilHolder;
+import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.w3c.dom.Document;
-
-import static org.picketlink.identity.federation.core.util.StringUtil.isNotNull;
-
/**
* SAML Web Browser SSO - POST binding
* @author Anil.Saldhana(a)redhat.com
@@ -102,17 +101,19 @@
public class IDPServlet extends HttpServlet
{
private static final long serialVersionUID = 1L;
+
private static Logger log = Logger.getLogger(IDPServlet.class);
- private boolean trace = log.isTraceEnabled();
-
+
+ private final boolean trace = log.isTraceEnabled();
+
protected transient IDPType idpConfiguration = null;
protected transient RoleGenerator roleGenerator = new DefaultRoleGenerator();
-
+
protected transient DelegatedAttributeManager attribManager = new
DelegatedAttributeManager();
protected List<String> attributeKeys = new ArrayList<String>();
-
+
protected long assertionValidity = 5000; // 5 seconds in miliseconds
protected String identityURL = null;
@@ -121,12 +122,12 @@
protected Boolean ignoreIncomingSignatures = false;
- protected Boolean signOutgoingMessages = true;
-
+ protected Boolean signOutgoingMessages = true;
+
protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
-
+
protected transient ServletContext context = null;
-
+
protected transient SAML2HandlerChain chain = null;
/**
@@ -138,412 +139,395 @@
{
return ignoreIncomingSignatures;
}
-
+
@Override
public void init(ServletConfig config) throws ServletException
{
Handlers handlers = null;
super.init(config);
String configFile = GeneralConstants.CONFIG_FILE_LOCATION;
-
+
context = config.getServletContext();
-
+
InputStream is = context.getResourceAsStream(configFile);
- if(is == null)
+ if (is == null)
throw new RuntimeException(configFile + " missing");
//Get the chain from config
chain = new DefaultSAML2HandlerChain();
-
+
try
{
idpConfiguration = ConfigurationUtil.getIDPConfiguration(is);
- this.identityURL = idpConfiguration.getIdentityURL();
- log.trace("Identity Provider URL=" + this.identityURL);
+ this.identityURL = idpConfiguration.getIdentityURL();
+ log.trace("Identity Provider URL=" + this.identityURL);
this.assertionValidity = idpConfiguration.getAssertionValidity();
-
+
this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod();
- log.info( "IDPServlet:: Setting the CanonicalizationMethod on
XMLSignatureUtil::" + canonicalizationMethod );
+ log.info("IDPServlet:: Setting the CanonicalizationMethod on
XMLSignatureUtil::" + canonicalizationMethod);
XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod);
-
+
//Get the attribute manager
String attributeManager = idpConfiguration.getAttributeManager();
- if(attributeManager != null && !"".equals(attributeManager))
+ if (attributeManager != null && !"".equals(attributeManager))
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
AttributeManager delegate = (AttributeManager)
tcl.loadClass(attributeManager).newInstance();
this.attribManager.setDelegate(delegate);
}
-
+
//Get the handlers
String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
handlers =
ConfigurationUtil.getHandlers(context.getResourceAsStream(handlerConfigFileName));
- chain.addAll(HandlerUtil.getHandlers(handlers));
-
+ chain.addAll(HandlerUtil.getHandlers(handlers));
+
Map<String, Object> chainConfigOptions = new HashMap<String,
Object>();
chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration);
- chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod );
-
+ chainConfigOptions.put(GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod);
+
SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
Set<SAML2Handler> samlHandlers = chain.handlers();
-
- for(SAML2Handler handler: samlHandlers)
+
+ for (SAML2Handler handler : samlHandlers)
{
handler.initChainConfig(handlerChainConfig);
- }
+ }
}
catch (Exception e)
{
throw new RuntimeException(e);
}
-
+
//Handle the sign outgoing messages
String signOutgoingString =
config.getInitParameter(GeneralConstants.SIGN_OUTGOING_MESSAGES);
- if(signOutgoingString != null && !"".equals(signOutgoingString))
+ if (signOutgoingString != null &&
!"".equals(signOutgoingString))
this.signOutgoingMessages = Boolean.parseBoolean(signOutgoingString);
-
-
- if(this.signOutgoingMessages)
+
+ if (this.signOutgoingMessages)
{
KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
- if(keyProvider == null)
+ if (keyProvider == null)
throw new RuntimeException("Key Provider is null for context=" +
context.getContextPath());
-
+
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
String keyManagerClassName = keyProvider.getClassName();
- if(keyManagerClassName == null)
+ if (keyManagerClassName == null)
throw new RuntimeException("KeyManager class name is null");
-
+
Class<?> clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
-
+
List<AuthPropertyType> authProperties =
CoreConfigUtil.getKeyProviderProperties(keyProvider);
-
- keyManager.setAuthProperties( authProperties );
+
+ keyManager.setAuthProperties(authProperties);
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
- catch(Exception e)
+ catch (Exception e)
{
- log.error("Exception reading configuration:",e);
+ log.error("Exception reading configuration:", e);
throw new RuntimeException(e.getLocalizedMessage());
}
- if(trace)
- log.trace("Key Provider=" + keyProvider.getClassName());
+ if (trace)
+ log.trace("Key Provider=" + keyProvider.getClassName());
}
-
+
//handle the role generator
String rgString = config.getInitParameter(GeneralConstants.ROLE_GENERATOR);
- if(rgString != null && !"".equals(rgString))
+ if (rgString != null && !"".equals(rgString))
this.setRoleGenerator(rgString);
-
+
//Get a list of attributes we are interested in
String attribList = config.getInitParameter(GeneralConstants.ATTRIBUTE_KEYS);
- if(attribList != null && !"".equals(attribList))
+ if (attribList != null && !"".equals(attribList))
{
- StringTokenizer st = new StringTokenizer(attribList,",");
- while(st != null && st.hasMoreTokens())
+ StringTokenizer st = new StringTokenizer(attribList, ",");
+ while (st != null && st.hasMoreTokens())
{
this.attributeKeys.add(st.nextToken());
}
- }
-
+ }
+
//The Identity Server on the servlet context gets set
//in the implementation of IdentityServer
//Create an Identity Server and set it on the context
IdentityServer identityServer = (IdentityServer)
context.getAttribute(GeneralConstants.IDENTITY_SERVER);
- if(identityServer == null)
+ if (identityServer == null)
{
identityServer = new IdentityServer();
- context.setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer);
- String theStackParam = config.getInitParameter(
GeneralConstants.IDENTITY_PARTICIPANT_STACK );
- if( StringUtil.isNotNull( theStackParam ) )
+ context.setAttribute(GeneralConstants.IDENTITY_SERVER, identityServer);
+ String theStackParam =
config.getInitParameter(GeneralConstants.IDENTITY_PARTICIPANT_STACK);
+ if (StringUtil.isNotNull(theStackParam))
{
try
{
Class<?> stackClass =
SecurityActions.getContextClassLoader().loadClass(theStackParam);
- identityServer.setStack( (IdentityParticipantStack)
stackClass.newInstance() );
+ identityServer.setStack((IdentityParticipantStack)
stackClass.newInstance());
}
catch (ClassNotFoundException e)
- {
- log( "Unable to set the Identity Participant Stack Class. Will just
use the default", e );
+ {
+ log("Unable to set the Identity Participant Stack Class. Will just
use the default", e);
}
catch (InstantiationException e)
{
- log( "Unable to set the Identity Participant Stack Class. Will just
use the default", e );
+ log("Unable to set the Identity Participant Stack Class. Will just
use the default", e);
}
catch (IllegalAccessException e)
{
- log( "Unable to set the Identity Participant Stack Class. Will just
use the default", e );
+ log("Unable to set the Identity Participant Stack Class. Will just
use the default", e);
}
}
- }
-
+ }
+
//Ensure the configuration in the STS
PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
//Let us look for a file
- String configPath = context.getRealPath( "/WEB-INF/picketlink-sts.xml"
);
- File stsConfigFile = configPath != null ? new File( configPath ) : null;
-
- if( stsConfigFile == null || !stsConfigFile.exists() )
+ String configPath = context.getRealPath("/WEB-INF/picketlink-sts.xml");
+ File stsConfigFile = configPath != null ? new File(configPath) : null;
+
+ if (stsConfigFile == null || !stsConfigFile.exists())
sts.installDefaultConfiguration();
else
- sts.installDefaultConfiguration( configPath );
- }
-
-
+ sts.installDefaultConfiguration(configPath);
+ }
+
@SuppressWarnings("unchecked")
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException
{
//Some issue with filters and servlets
- HttpSession session = request.getSession(false);
-
+ HttpSession session = request.getSession(false);
+
String samlRequestMessage = (String)
session.getAttribute(GeneralConstants.SAML_REQUEST_KEY);
String samlResponseMessage = (String)
session.getAttribute(GeneralConstants.SAML_RESPONSE_KEY);
String relayState = (String) session.getAttribute(GeneralConstants.RELAY_STATE);
-
- String referer = request.getHeader("Referer");
+ String referer = request.getHeader("Referer");
+
//See if the user has already been authenticated
Principal userPrincipal = (Principal)
session.getAttribute(GeneralConstants.PRINCIPAL_ID);
- if(userPrincipal == null)
+ if (userPrincipal == null)
{
//The sys admin has not set up the login servlet filters for the IDP
- if(trace)
+ if (trace)
log.trace("Login Filters have not been configured");
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- }
-
- IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request,
- idpConfiguration, keyManager);
- webRequestUtil.setAttributeManager(this.attribManager);
- webRequestUtil.setAttributeKeys(attributeKeys);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ }
+
+ IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration,
keyManager);
webRequestUtil.setCanonicalizationMethod(canonicalizationMethod);
boolean willSendRequest = true;
-
- if(userPrincipal != null)
+
+ if (userPrincipal != null)
{
- if(trace)
+ if (trace)
{
log.trace("Retrieved saml message and relay state from session");
- log.trace("saml Request message=" + samlRequestMessage +
"::relay state="+ relayState);
- log.trace("saml Response message=" + samlResponseMessage +
"::relay state="+ relayState);
+ log.trace("saml Request message=" + samlRequestMessage +
"::relay state=" + relayState);
+ log.trace("saml Response message=" + samlResponseMessage +
"::relay state=" + relayState);
}
session.removeAttribute(GeneralConstants.SAML_REQUEST_KEY);
session.removeAttribute(GeneralConstants.SAML_RESPONSE_KEY);
- if(isNotNull(relayState))
+ if (isNotNull(relayState))
session.removeAttribute(GeneralConstants.RELAY_STATE);
-
+
SAMLDocumentHolder samlDocumentHolder = null;
SAML2Object samlObject = null;
String destination = null;
Document samlResponse = null;
-
- if(samlResponseMessage != null)
+
+ if (samlResponseMessage != null)
{
StatusResponseType statusResponseType = null;
try
{
samlDocumentHolder =
webRequestUtil.getSAMLDocumentHolder(samlResponseMessage);
- samlObject = (SAML2Object) samlDocumentHolder.getSamlObject();
-
+ samlObject = samlDocumentHolder.getSamlObject();
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(),
- request.getQueryString(),
- new SessionHolder(samlResponseMessage, null), isPost);
-
- if(!isValid)
+ boolean isValid = validate(request.getRemoteAddr(),
request.getQueryString(), new SessionHolder(
+ samlResponseMessage, null), isPost);
+
+ if (!isValid)
throw new GeneralSecurityException("Validation check
failed");
String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
- ProtocolContext protocolContext = new HTTPContext(request,response,
context);
+ ProtocolContext protocolContext = new HTTPContext(request, response,
context);
//Create the request/response
- SAML2HandlerRequest saml2HandlerRequest =
- new DefaultSAML2HandlerRequest(protocolContext,
- idpIssuer.getIssuer(), samlDocumentHolder,
- HANDLER_TYPE.IDP);
-
+ SAML2HandlerRequest saml2HandlerRequest = new
DefaultSAML2HandlerRequest(protocolContext,
+ idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP);
+
saml2HandlerRequest.setRelayState(relayState);
-
- SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+ SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+
Set<SAML2Handler> handlers = chain.handlers();
-
- if(samlObject instanceof StatusResponseType)
+
+ if (samlObject instanceof StatusResponseType)
{
statusResponseType = (StatusResponseType) samlObject;
issuer = statusResponseType.getIssuer().getValue();
webRequestUtil.isTrusted(issuer);
-
- if(handlers != null)
- {
- for(SAML2Handler handler: handlers)
+
+ if (handlers != null)
+ {
+ for (SAML2Handler handler : handlers)
{
handler.reset();
handler.handleStatusResponseType(saml2HandlerRequest,
saml2HandlerResponse);
willSendRequest = saml2HandlerResponse.getSendRequest();
- }
- }
+ }
+ }
}
else
throw new RuntimeException("Unknown type:" +
samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
-
+
destination = saml2HandlerResponse.getDestination();
}
- catch(Exception e)
+ catch (Exception e)
{
throw new RuntimeException(e);
}
-
+
}
else
//Send valid saml response after processing the request
- if(samlRequestMessage != null)
+ if (samlRequestMessage != null)
{
//Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
-
+ RequestAbstractType requestAbstractType = null;
+
try
- {
+ {
samlDocumentHolder =
webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
- samlObject = (SAML2Object) samlDocumentHolder.getSamlObject();
-
-
+ samlObject = samlDocumentHolder.getSamlObject();
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(),
- request.getQueryString(),
- new SessionHolder(samlRequestMessage, null), isPost);
-
- if(!isValid)
+ boolean isValid = validate(request.getRemoteAddr(),
request.getQueryString(), new SessionHolder(
+ samlRequestMessage, null), isPost);
+
+ if (!isValid)
throw new GeneralSecurityException("Validation check
failed");
String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
- ProtocolContext protocolContext = new HTTPContext(request,response,
context);
+ ProtocolContext protocolContext = new HTTPContext(request, response,
context);
//Create the request/response
- SAML2HandlerRequest saml2HandlerRequest =
- new DefaultSAML2HandlerRequest(protocolContext,
- idpIssuer.getIssuer(), samlDocumentHolder,
- HANDLER_TYPE.IDP);
+ SAML2HandlerRequest saml2HandlerRequest = new
DefaultSAML2HandlerRequest(protocolContext,
+ idpIssuer.getIssuer(), samlDocumentHolder, HANDLER_TYPE.IDP);
saml2HandlerRequest.setRelayState(relayState);
-
+
//Set the options on the handler request
Map<String, Object> requestOptions = new HashMap<String,
Object>();
requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY,
this.assertionValidity);
requestOptions.put(GeneralConstants.CONFIGURATION,
this.idpConfiguration);
-
- Map<String,Object> attribs =
this.attribManager.getAttributes(userPrincipal, attributeKeys);
- requestOptions.put(GeneralConstants.ATTRIBUTES, attribs);
-
- saml2HandlerRequest.setOptions(requestOptions);
-
- List<String> roles = (List<String>)
session.getAttribute(GeneralConstants.ROLES_ID);
- if(roles == null)
+
+ Map<String, Object> attribs =
this.attribManager.getAttributes(userPrincipal, attributeKeys);
+ requestOptions.put(GeneralConstants.ATTRIBUTES, attribs);
+
+ saml2HandlerRequest.setOptions(requestOptions);
+
+ List<String> roles = (List<String>)
session.getAttribute(GeneralConstants.ROLES_ID);
+ if (roles == null)
{
roles = roleGenerator.generateRoles(userPrincipal);
session.setAttribute(GeneralConstants.ROLES_ID, roles);
}
-
- SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+ SAML2HandlerResponse saml2HandlerResponse = new
DefaultSAML2HandlerResponse();
+
Set<SAML2Handler> handlers = chain.handlers();
-
- if(samlObject instanceof RequestAbstractType)
+
+ if (samlObject instanceof RequestAbstractType)
{
requestAbstractType = (RequestAbstractType) samlObject;
issuer = requestAbstractType.getIssuer().getValue();
webRequestUtil.isTrusted(issuer);
-
- if(handlers != null)
- {
- for(SAML2Handler handler: handlers)
+
+ if (handlers != null)
+ {
+ for (SAML2Handler handler : handlers)
{
handler.handleRequestType(saml2HandlerRequest,
saml2HandlerResponse);
willSendRequest = saml2HandlerResponse.getSendRequest();
- }
- }
- }
+ }
+ }
+ }
else
throw new RuntimeException("Unknown type:" +
samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
-
+
destination = saml2HandlerResponse.getDestination();
-
+
}
catch (IssuerNotTrustedException e)
{
- if(trace) log.trace("Exception:",e);
+ if (trace)
+ log.trace("Exception:", e);
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(),
- this.identityURL, this.signOutgoingMessages);
+ samlResponse = webRequestUtil.getErrorResponse(referer,
+ JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(), this.identityURL,
this.signOutgoingMessages);
}
catch (ParsingException e)
{
- if(trace) log.trace("Exception:",e);
+ if (trace)
+ log.trace("Exception:", e);
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
catch (ConfigurationException e)
{
- if(trace) log.trace("Exception:",e);
+ if (trace)
+ log.trace("Exception:", e);
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
catch (IssueInstantMissingException e)
{
- if(trace) log.trace("Exception:",e);
+ if (trace)
+ log.trace("Exception:", e);
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
- }
- catch(GeneralSecurityException e)
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
+ }
+ catch (GeneralSecurityException e)
{
- if(trace) log.trace("Security Exception:",e);
+ if (trace)
+ log.trace("Security Exception:", e);
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
- catch(Exception e)
+ catch (Exception e)
{
- if(trace) log.trace("Exception:",e);
+ if (trace)
+ log.trace("Exception:", e);
- samlResponse =
- webRequestUtil.getErrorResponse(referer,
- JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
- this.identityURL, this.signOutgoingMessages);
+ samlResponse = webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
+ this.identityURL, this.signOutgoingMessages);
}
-
+
}
else
{
log.error("No SAML Request Message");
- if(trace) log.trace("Referer="+referer);
+ if (trace)
+ log.trace("Referer=" + referer);
try
{
@@ -552,25 +536,25 @@
}
catch (ConfigurationException e)
{
- if(trace) log.trace(e);
- }
- }
-
+ if (trace)
+ log.trace(e);
+ }
+ }
+
try
- {
- if(samlResponse == null)
+ {
+ if (samlResponse == null)
throw new ServletException("SAML Response has not been
generated");
-
-
WebRequestUtilHolder holder = webRequestUtil.getHolder();
-
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState).setAreWeSendingRequest(
willSendRequest )
-
.setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
+
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState)
+
.setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false)
+ .setServletResponse(response);
holder.setPostBindingRequested(true);
-
- if(this.signOutgoingMessages)
+
+ if (this.signOutgoingMessages)
{
- holder.setPrivateKey( keyManager.getSigningKey()
).setSupportSignature(true);
+
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
/*webRequestUtil.send(samlResponse, destination,relayState, response,
true,
this.keyManager.getSigningKey(), willSendRequest);*/
}
@@ -581,41 +565,44 @@
}
catch (ParsingException e)
{
- if(trace) log.trace(e);
- }
+ if (trace)
+ log.trace(e);
+ }
catch (GeneralSecurityException e)
{
- if(trace) log.trace(e);
+ if (trace)
+ log.trace(e);
}
return;
- }
+ }
}
protected void sendErrorResponseToSP(String referrer, HttpServletResponse response,
String relayState,
IDPWebRequestUtil webRequestUtil) throws ServletException, IOException,
ConfigurationException
{
- if(trace) log.trace("About to send error response to SP:" + referrer);
+ if (trace)
+ log.trace("About to send error response to SP:" + referrer);
- Document samlResponse =
- webRequestUtil.getErrorResponse(referrer,
JBossSAMLURIConstants.STATUS_RESPONDER.get(),
- this.identityURL, this.signOutgoingMessages);
+ Document samlResponse = webRequestUtil.getErrorResponse(referrer,
JBossSAMLURIConstants.STATUS_RESPONDER.get(),
+ this.identityURL, this.signOutgoingMessages);
try
- {
+ {
WebRequestUtilHolder holder = webRequestUtil.getHolder();
-
holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState).setAreWeSendingRequest(
false )
- .setPrivateKey(null).setSupportSignature(false).setServletResponse(response);
+
holder.setResponseDoc(samlResponse).setDestination(referrer).setRelayState(relayState)
+
.setAreWeSendingRequest(false).setPrivateKey(null).setSupportSignature(false)
+ .setServletResponse(response);
holder.setPostBindingRequested(true);
-
- if(this.signOutgoingMessages)
+
+ if (this.signOutgoingMessages)
{
- holder.setPrivateKey( keyManager.getSigningKey() ).setSupportSignature( true
);
+ holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
/*webRequestUtil.send(samlResponse, referrer, relayState, response, true,
this.keyManager.getSigningKey(), false);*/
}
-
- /* else
- webRequestUtil.send(samlResponse, referrer, relayState, response, false,null,
false);*/
+
+ /* else
+ webRequestUtil.send(samlResponse, referrer, relayState, response,
false,null, false);*/
webRequestUtil.send(holder);
}
catch (ParsingException e1)
@@ -623,34 +610,33 @@
throw new ServletException(e1);
}
catch (GeneralSecurityException e)
- {
+ {
throw new ServletException(e);
- }
- }
+ }
+ }
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws
ServletException, IOException
{
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
- }
-
+ }
protected static class SessionHolder
{
String samlRequest;
- String signature;
-
+
+ String signature;
+
public SessionHolder(String req, String sig)
{
this.samlRequest = req;
- this.signature = sig;
+ this.signature = sig;
}
}
-
- protected boolean validate(String remoteAddress,
- String queryString,
- SessionHolder holder, boolean isPost) throws IOException,
GeneralSecurityException
- {
+
+ protected boolean validate(String remoteAddress, String queryString, SessionHolder
holder, boolean isPost)
+ throws IOException, GeneralSecurityException
+ {
if (holder.samlRequest == null || holder.samlRequest.length() == 0)
{
return false;
@@ -664,12 +650,12 @@
log.error("Signature received from SP is null:" + remoteAddress);
return false;
}
-
+
//Check if there is a signature
byte[] sigValue =
RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
- if(sigValue == null)
+ if (sigValue == null)
return false;
-
+
PublicKey validatingKey;
try
{
@@ -683,7 +669,7 @@
{
throw new GeneralSecurityException(e.getCause());
}
-
+
return RedirectBindingSignatureUtil.validateSignature(queryString,
validatingKey, sigValue);
}
else
@@ -692,12 +678,12 @@
return true;
}
}
-
+
public void testPost(HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException
{
- this.doPost(request, response);
+ this.doPost(request, response);
}
-
+
private void setRoleGenerator(String rgName)
{
try
@@ -708,6 +694,6 @@
catch (Exception e)
{
throw new RuntimeException(e);
- }
+ }
}
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2011-03-15
16:39:35 UTC (rev 811)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2011-03-15
17:14:01 UTC (rev 812)
@@ -30,10 +30,7 @@
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
-import java.security.Principal;
import java.security.PrivateKey;
-import java.util.List;
-import java.util.Map;
import java.util.StringTokenizer;
import javax.servlet.http.HttpServletRequest;
@@ -49,21 +46,16 @@
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
-import org.picketlink.identity.federation.core.interfaces.AttributeManager;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
-import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
-import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
-import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
-import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType;
import org.w3c.dom.Document;
@@ -77,66 +69,53 @@
public class IDPWebRequestUtil
{
private static Logger log = Logger.getLogger(IDPWebRequestUtil.class);
- private boolean trace = log.isTraceEnabled();
-
+
+ private final boolean trace = log.isTraceEnabled();
+
private boolean redirectProfile = false;
+
private boolean postProfile = false;
- private IDPType idpConfiguration;
- private TrustKeyManager keyManager;
- private AttributeManager attributeManager;
- private List<String> attribKeys;
+ private final IDPType idpConfiguration;
+ private final TrustKeyManager keyManager;
+
protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
-
+
public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager
keym)
{
this.idpConfiguration = idp;
this.keyManager = keym;
this.redirectProfile = "GET".equals(request.getMethod());
- this.postProfile = "POST".equals(request.getMethod());
- }
-
+ this.postProfile = "POST".equals(request.getMethod());
+ }
+
public String getCanonicalizationMethod()
{
return canonicalizationMethod;
}
-
-
public void setCanonicalizationMethod(String canonicalizationMethod)
{
this.canonicalizationMethod = canonicalizationMethod;
}
-
-
- public void setAttributeKeys(List<String> attribKeys)
- {
- this.attribKeys = attribKeys;
- }
-
- public void setAttributeManager(AttributeManager attributeManager)
- {
- this.attributeManager = attributeManager;
- }
-
public boolean hasSAMLRequestInRedirectProfile()
{
- return redirectProfile;
+ return redirectProfile;
}
-
+
public boolean hasSAMLRequestInPostProfile()
{
return postProfile;
}
-
- public SAMLDocumentHolder getSAMLDocumentHolder(String samlMessage)
- throws ParsingException, ConfigurationException, ProcessingException
- {
- InputStream is = null;
- SAML2Request saml2Request = new SAML2Request();
- if(redirectProfile)
+
+ public SAMLDocumentHolder getSAMLDocumentHolder(String samlMessage) throws
ParsingException, ConfigurationException,
+ ProcessingException
+ {
+ InputStream is = null;
+ SAML2Request saml2Request = new SAML2Request();
+ if (redirectProfile)
{
is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
}
@@ -145,32 +124,33 @@
try
{
byte[] samlBytes = PostBindingUtil.base64Decode(samlMessage);
- if(trace) log.trace("SAMLRequest=" + new String(samlBytes));
+ if (trace)
+ log.trace("SAMLRequest=" + new String(samlBytes));
is = new ByteArrayInputStream(samlBytes);
}
- catch(Exception rte)
+ catch (Exception rte)
{
- if(trace)
- log.trace("Error in base64 decoding saml message: "+rte);
+ if (trace)
+ log.trace("Error in base64 decoding saml message: " + rte);
throw new ParsingException(rte);
- }
+ }
}
saml2Request.getSAML2ObjectFromStream(is);
return saml2Request.getSamlDocumentHolder();
}
-
- public RequestAbstractType getSAMLRequest(String samlMessage)
- throws ParsingException, ConfigurationException, ProcessingException
- {
- InputStream is = null;
- SAML2Request saml2Request = new SAML2Request();
- if(redirectProfile)
+
+ public RequestAbstractType getSAMLRequest(String samlMessage) throws ParsingException,
ConfigurationException,
+ ProcessingException
+ {
+ InputStream is = null;
+ SAML2Request saml2Request = new SAML2Request();
+ if (redirectProfile)
{
try
{
- is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
+ is = RedirectBindingUtil.base64DeflateDecode(samlMessage);
}
- catch(Exception e)
+ catch (Exception e)
{
log.error("Exception in parsing saml message:", e);
throw new ParsingException();
@@ -179,113 +159,13 @@
else
{
byte[] samlBytes = PostBindingUtil.base64Decode(samlMessage);
- if(trace) log.trace("SAMLRequest=" + new String(samlBytes));
+ if (trace)
+ log.trace("SAMLRequest=" + new String(samlBytes));
is = new ByteArrayInputStream(samlBytes);
}
return saml2Request.getRequestType(is);
- }
-
-
- public Document getResponse( String assertionConsumerURL,
- Principal userPrincipal,
- List<String> roles,
- String identityURL,
- long assertionValidity,
- boolean supportSignature)
- throws ConfigurationException, IssueInstantMissingException, ProcessingException
- {
- Document samlResponseDocument = null;
-
- if(trace)
- log.trace("AssertionConsumerURL=" + assertionConsumerURL +
- "::assertion validity=" + assertionValidity);
- ResponseType responseType = null;
-
- SAML2Response saml2Response = new SAML2Response();
-
- //Create a response type
- String id = IDGenerator.create("ID_");
-
- IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL);
- issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
-
- IDPInfoHolder idp = new IDPInfoHolder();
- idp.setNameIDFormatValue(userPrincipal.getName());
- idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
-
- SPInfoHolder sp = new SPInfoHolder();
- sp.setResponseDestinationURI(assertionConsumerURL);
- responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
-
- //Add information on the roles
- AssertionType assertion = (AssertionType)
responseType.getAssertions().get(0).getAssertion();
-
- AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
- assertion.addStatement( attrStatement );
-
- //Add timed conditions
- saml2Response.createTimedConditions(assertion, assertionValidity);
-
- //Add in the attributes information
- if(this.attributeManager != null)
- {
- try
- {
- Map<String, Object> attribs =
- attributeManager.getAttributes(userPrincipal, this.attribKeys);
- AttributeStatementType attStatement =
StatementUtil.createAttributeStatement(attribs);
- assertion.addStatement( attStatement );
- }
- catch(Exception e)
- {
- log.error("Exception in generating attributes:",e);
- }
- }
-
- //Lets see how the response looks like
- if(log.isTraceEnabled())
- {
- StringWriter sw = new StringWriter();
- try
- {
- saml2Response.marshall(responseType, sw);
- }
- catch ( ProcessingException e)
- {
- log.trace(e);
- }
- log.trace("Response="+sw.toString());
- }
-
- if(trace)
- log.trace("Support Sig=" + supportSignature + " ::Post
Profile?=" + hasSAMLRequestInPostProfile());
- if(supportSignature && hasSAMLRequestInPostProfile())
- {
- try
- {
- SAML2Signature saml2Signature = new SAML2Signature();
- samlResponseDocument = saml2Signature.sign(responseType,
keyManager.getSigningKeyPair());
- }
- catch (Exception e)
- {
- if(trace) log.trace(e);
- }
- }
- else
- try
- {
- samlResponseDocument = saml2Response.convert(responseType);
- }
- catch (Exception e)
- {
- if(trace) log.trace(e);
- }
-
- return samlResponseDocument;
}
-
-
-
+
/**
* Verify that the issuer is trusted
* @param issuer
@@ -293,101 +173,43 @@
*/
public void isTrusted(String issuer) throws IssuerNotTrustedException
{
- if(idpConfiguration == null)
+ if (idpConfiguration == null)
throw new IllegalStateException("IDP Configuration is null");
try
{
String issuerDomain = getDomain(issuer);
- TrustType idpTrust = idpConfiguration.getTrust();
- if(idpTrust != null)
+ TrustType idpTrust = idpConfiguration.getTrust();
+ if (idpTrust != null)
{
String domainsTrusted = idpTrust.getDomains();
- if(trace)
- log.trace("Domains that IDP trusts="+domainsTrusted + " and
issuer domain="+issuerDomain);
- if(domainsTrusted.indexOf(issuerDomain) < 0)
+ if (trace)
+ log.trace("Domains that IDP trusts=" + domainsTrusted + "
and issuer domain=" + issuerDomain);
+ if (domainsTrusted.indexOf(issuerDomain) < 0)
{
//Let us do string parts checking
StringTokenizer st = new StringTokenizer(domainsTrusted, ",");
- while(st != null && st.hasMoreTokens())
+ while (st != null && st.hasMoreTokens())
{
String uriBit = st.nextToken();
- if(trace)
- log.trace("Matching uri bit="+ uriBit);
- if(issuerDomain.indexOf(uriBit) > 0)
+ if (trace)
+ log.trace("Matching uri bit=" + uriBit);
+ if (issuerDomain.indexOf(uriBit) > 0)
{
- if(trace)
- log.trace("Matched " + uriBit + " trust for "
+ issuerDomain );
+ if (trace)
+ log.trace("Matched " + uriBit + " trust for "
+ issuerDomain);
return;
- }
- }
+ }
+ }
throw new IssuerNotTrustedException(issuer);
- }
+ }
}
}
catch (Exception e)
{
- throw new IssuerNotTrustedException(e.getLocalizedMessage(),e);
+ throw new IssuerNotTrustedException(e.getLocalizedMessage(), e);
}
}
-
- /**
- * Send a response
- * @param responseDoc
- * @param relayState
- * @param response
- * @throws GeneralSecurityException
- * @throws IOException
- */
- /* public void send(Document responseDoc, String destination,
- String relayState,
- HttpServletResponse response,
- boolean supportSignature,
- PrivateKey signingKey,
- boolean sendRequest) throws GeneralSecurityException, IOException
- {
- if(responseDoc == null)
- throw new IllegalArgumentException("responseType is null");
-
- if(redirectProfile)
- {
- byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
-
- String urlEncodedResponse =
RedirectBindingUtil.deflateBase64URLEncode(responseBytes);
-
- if(trace) log.trace("IDP:Destination=" + destination);
-
- if(isNotNull(relayState))
- relayState = RedirectBindingUtil.urlEncode(relayState);
-
- String finalDest = destination + getDestination(urlEncodedResponse, relayState,
- supportSignature, sendRequest);
- if(trace) log.trace("Redirecting to="+ finalDest);
- HTTPRedirectUtil.sendRedirectForResponder(finalDest, response);
- }
- else
- {
- //If we support signature
- if(supportSignature)
- {
- //Sign the document
- SAML2Signature samlSignature = new SAML2Signature();
-
- KeyPair keypair = keyManager.getSigningKeyPair();
- samlSignature.signSAMLDocument(responseDoc, keypair);
-
- if(trace)
- log.trace("Sending over to SP:" +
DocumentUtil.asString(responseDoc));
- }
- byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
-
- String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
-
- PostBindingUtil.sendPost(new DestinationInfoHolder(destination,
- samlResponse, relayState), response, sendRequest);
- }
- }*/
-
/**
* Send a response
* @param responseDoc
@@ -396,11 +218,11 @@
* @throws GeneralSecurityException
* @throws IOException
*/
- public void send( WebRequestUtilHolder holder) throws GeneralSecurityException,
IOException
+ public void send(WebRequestUtilHolder holder) throws GeneralSecurityException,
IOException
{
Document responseDoc = holder.getResponseDoc();
-
- if( responseDoc == null )
+
+ if (responseDoc == null)
throw new IllegalArgumentException("responseType is null");
String destination = holder.getDestination();
@@ -408,48 +230,47 @@
boolean supportSignature = holder.isSupportSignature();
boolean sendRequest = holder.isAreWeSendingRequest();
HttpServletResponse response = holder.getServletResponse();
-
- if(holder.isPostBindingRequested() == false)
- {
- byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
-
+
+ if (holder.isPostBindingRequested() == false)
+ {
+ byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+
String urlEncodedResponse =
RedirectBindingUtil.deflateBase64URLEncode(responseBytes);
-
-
- if(trace) log.trace("IDP:Destination=" + destination);
- if(isNotNull(relayState))
+ if (trace)
+ log.trace("IDP:Destination=" + destination);
+
+ if (isNotNull(relayState))
relayState = RedirectBindingUtil.urlEncode(relayState);
- String finalDest = destination + getDestination(urlEncodedResponse, relayState,
- supportSignature, sendRequest);
- if(trace) log.trace("Redirecting to="+ finalDest);
- HTTPRedirectUtil.sendRedirectForResponder(finalDest, response);
- }
+ String finalDest = destination + getDestination(urlEncodedResponse, relayState,
supportSignature, sendRequest);
+ if (trace)
+ log.trace("Redirecting to=" + finalDest);
+ HTTPRedirectUtil.sendRedirectForResponder(finalDest, response);
+ }
else
- {
+ {
//If we support signature
- if(supportSignature)
+ if (supportSignature)
{
//Sign the document
- SAML2Signature samlSignature = new SAML2Signature();
+ SAML2Signature samlSignature = new SAML2Signature();
KeyPair keypair = keyManager.getSigningKeyPair();
- samlSignature.signSAMLDocument(responseDoc, keypair);
-
- if(trace)
- log.trace("Sending over to SP:" +
DocumentUtil.asString(responseDoc));
+ samlSignature.signSAMLDocument(responseDoc, keypair);
+
+ if (trace)
+ log.trace("Sending over to SP:" +
DocumentUtil.asString(responseDoc));
}
- byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
-
+ byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+
String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
-
- PostBindingUtil.sendPost(new DestinationInfoHolder(destination,
- samlResponse, relayState), response, sendRequest);
+
+ PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlResponse,
relayState), response,
+ sendRequest);
}
- }
-
-
+ }
+
/**
* Generate a Destination URL for the HTTPRedirect binding
* with the saml response and relay state
@@ -457,8 +278,8 @@
* @param urlEncodedRelayState
* @return
*/
- public String getDestination(String urlEncodedResponse, String urlEncodedRelayState,
- boolean supportSignature, boolean sendRequest)
+ public String getDestination(String urlEncodedResponse, String urlEncodedRelayState,
boolean supportSignature,
+ boolean sendRequest)
{
StringBuilder sb = new StringBuilder();
@@ -472,12 +293,13 @@
}
catch (Exception e)
{
- if(trace) log.trace(e);
+ if (trace)
+ log.trace(e);
}
}
else
{
- if(sendRequest)
+ if (sendRequest)
sb.append("?SAMLRequest=").append(urlEncodedResponse);
else
sb.append("?SAMLResponse=").append(urlEncodedResponse);
@@ -486,12 +308,12 @@
}
return sb.toString();
}
-
+
public WebRequestUtilHolder getHolder()
{
return new WebRequestUtilHolder();
}
-
+
/**
* Create an Error Response
* @param responseURL
@@ -501,18 +323,17 @@
* @return
* @throws ConfigurationException
*/
- public Document getErrorResponse(String responseURL, String status,
- String identityURL, boolean supportSignature)
- {
+ public Document getErrorResponse(String responseURL, String status, String
identityURL, boolean supportSignature)
+ {
Document samlResponse = null;
- ResponseType responseType = null;
+ ResponseType responseType = null;
SAML2Response saml2Response = new SAML2Response();
//Create a response type
String id = IDGenerator.create("ID_");
- IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL);
+ IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL);
issuerHolder.setStatusCode(status);
IDPInfoHolder idp = new IDPInfoHolder();
@@ -527,17 +348,19 @@
}
catch (ConfigurationException e1)
{
- if(trace) log.trace(e1);
+ if (trace)
+ log.trace(e1);
responseType = saml2Response.createResponseType();
}
catch (ProcessingException e)
{
- if(trace) log.trace( e );
+ if (trace)
+ log.trace(e);
responseType = saml2Response.createResponseType();
- }
+ }
//Lets see how the response looks like
- if(log.isTraceEnabled())
+ if (log.isTraceEnabled())
{
log.trace("Error_ResponseType = ");
StringWriter sw = new StringWriter();
@@ -545,24 +368,25 @@
{
saml2Response.marshall(responseType, sw);
}
- catch ( ProcessingException e)
+ catch (ProcessingException e)
{
log.trace(e);
- }
- log.trace("Response="+sw.toString());
+ }
+ log.trace("Response=" + sw.toString());
}
- if(supportSignature)
- {
+ if (supportSignature)
+ {
try
- {
- SAML2Signature ss = new SAML2Signature();
+ {
+ SAML2Signature ss = new SAML2Signature();
samlResponse = ss.sign(responseType, keyManager.getSigningKeyPair());
}
catch (Exception e)
{
- if(trace) log.trace(e);
- }
+ if (trace)
+ log.trace(e);
+ }
}
else
try
@@ -571,106 +395,129 @@
}
catch (Exception e)
{
- if(trace) log.trace(e);
- }
-
- return samlResponse;
+ if (trace)
+ log.trace(e);
+ }
+
+ return samlResponse;
}
-
+
/**
* Given a SP or IDP issuer from the assertion, return the host
* @param domainURL
* @return
* @throws IOException
*/
- private static String getDomain(String domainURL) throws IOException
+ private static String getDomain(String domainURL) throws IOException
{
URL url = new URL(domainURL);
return url.getHost();
}
-
+
public class WebRequestUtilHolder
- {
+ {
private Document responseDoc;
+
private String relayState;
+
private String destination;
+
private HttpServletResponse servletResponse;
+
private PrivateKey privateKey;
+
private boolean supportSignature;
+
private boolean postBindingRequested;
+
private boolean areWeSendingRequest;
+
public Document getResponseDoc()
{
return responseDoc;
}
-
+
public WebRequestUtilHolder setResponseDoc(Document responseDoc)
{
this.responseDoc = responseDoc;
return this;
}
+
public String getRelayState()
{
return relayState;
}
+
public WebRequestUtilHolder setRelayState(String relayState)
{
this.relayState = relayState;
return this;
}
+
public String getDestination()
{
return destination;
}
+
public WebRequestUtilHolder setDestination(String destination)
{
this.destination = destination;
return this;
}
+
public HttpServletResponse getServletResponse()
{
return servletResponse;
}
+
public WebRequestUtilHolder setServletResponse(HttpServletResponse
servletResponse)
{
this.servletResponse = servletResponse;
return this;
}
+
public PrivateKey getPrivateKey()
{
return privateKey;
}
+
public WebRequestUtilHolder setPrivateKey(PrivateKey privateKey)
{
this.privateKey = privateKey;
return this;
}
+
public boolean isSupportSignature()
{
return supportSignature;
}
+
public WebRequestUtilHolder setSupportSignature(boolean supportSignature)
{
this.supportSignature = supportSignature;
return this;
}
+
public boolean isPostBindingRequested()
{
return postBindingRequested;
}
+
public WebRequestUtilHolder setPostBindingRequested(boolean postBindingRequested)
{
this.postBindingRequested = postBindingRequested;
return this;
}
+
public boolean isAreWeSendingRequest()
{
return areWeSendingRequest;
}
+
public WebRequestUtilHolder setAreWeSendingRequest(boolean areWeSendingRequest)
{
this.areWeSendingRequest = areWeSendingRequest;
return this;
- }
+ }
}
}
\ No newline at end of file