Author: anil.saldhana(a)jboss.com
Date: 2011-01-26 22:59:39 -0500 (Wed, 26 Jan 2011)
New Revision: 666
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
Log:
PLFED-123: SAML2 auth response should contain the AuthnStatement
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-01-27
03:59:06 UTC (rev 665)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/interfaces/SAML2Handler.java 2011-01-27
03:59:39 UTC (rev 666)
@@ -32,6 +32,10 @@
*/
public interface SAML2Handler
{
+ //Define some constants
+ String DISABLE_AUTHN_STATEMENT = "DISABLE_AUTHN_STATEMENT";
+ String DISABLE_SENDING_ROLES = "DISABLE_SENDING_ROLES";
+
/**
* Processing Point - idp side
* or service side
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java 2011-01-27
03:59:06 UTC (rev 665)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/StatementUtil.java 2011-01-27
03:59:39 UTC (rev 666)
@@ -21,11 +21,13 @@
*/
package org.picketlink.identity.federation.core.saml.v2.util;
+import java.net.URI;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.picketlink.identity.federation.core.constants.AttributeConstants;
@@ -34,6 +36,10 @@
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
+import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnContextClassRefType;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnContextType;
+import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnContextType.AuthnContextTypeSequence;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnStatementType;
/**
* Deals with SAML2 Statements
@@ -42,9 +48,31 @@
*/
public class StatementUtil
{
- public static final QName X500_QNAME = new
QName(JBossSAMLURIConstants.X500_NSURI.get(), "Encoding",
JBossSAMLURIConstants.X500_PREFIX.get());
-
+ public static final QName X500_QNAME = new
QName(JBossSAMLURIConstants.X500_NSURI.get(), "Encoding",
JBossSAMLURIConstants.X500_PREFIX.get());
+
/**
+ * Create an AuthnStatementType given the issue instant and the type of
authentication
+ * @param instant an instanceof {@link XMLGregorianCalendar}
+ * @param authnContextClassRefValue indicate the type of authentication performed
+ * @return {@link AuthnStatementType}
+ */
+ public static AuthnStatementType createAuthnStatement( XMLGregorianCalendar instant,
String authnContextClassRefValue )
+ {
+ AuthnStatementType authnStatement = new AuthnStatementType( instant );
+
+ AuthnContextType authnContext = new AuthnContextType();
+ AuthnContextClassRefType authnContextClassRef = new AuthnContextClassRefType(
URI.create( authnContextClassRefValue ));
+
+ AuthnContextTypeSequence sequence = (authnContext).new AuthnContextTypeSequence();
+ sequence.setClassRef( authnContextClassRef );
+ authnContext.setSequence( sequence );
+
+ authnStatement.setAuthnContext( authnContext );
+
+ return authnStatement;
+ }
+
+ /**
* Create an attribute statement with all the attributes
* @param attributes a map with keys from {@link AttributeConstants}
* @return
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-01-27
03:59:06 UTC (rev 665)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-01-27
03:59:39 UTC (rev 666)
@@ -39,19 +39,21 @@
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import
org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
-import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
+import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AuthnStatementType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.EncryptedAssertionType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.NameIDType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.StatementAbstractType;
@@ -69,7 +71,15 @@
import org.w3c.dom.Node;
/**
+ * <p>
* Handles for dealing with SAML2 Authentication
+ * </p>
+ * <p>
+ * Configuration Options:
+ * @see SAML2Handler#DISABLE_AUTHN_STATEMENT Setting a value will disable the generation
of an AuthnStatement
+ * @see SAML2Handler#DISABLE_SENDING_ROLES Setting any value will disable the generation
and return of roles to SP
+ * </p>
+ *
* @author Anil.Saldhana(a)redhat.com
* @since Oct 8, 2009
*/
@@ -245,11 +255,19 @@
//Add information on the roles
AssertionType assertion = (AssertionType)
responseType.getAssertions().get(0).getAssertion();
- AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
- assertion.addStatement( attrStatement );
+ //Create an AuthnStatementType
+ if( handlerConfig.getParameter( DISABLE_AUTHN_STATEMENT ) == null )
+ {
+ AuthnStatementType authnStatement =
+ StatementUtil.createAuthnStatement( XMLTimeUtil.getIssueInstant(),
JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get() );
+ assertion.addStatement( authnStatement );
+ }
- /*//Add timed conditions
- saml2Response.createTimedConditions(assertion, assertionValidity);*/
+ if( handlerConfig.getParameter( DISABLE_SENDING_ROLES ) == null )
+ {
+ AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
+ assertion.addStatement( attrStatement );
+ }
//Add in the attributes information
if(attribs != null && attribs.size() > 0 )
@@ -286,84 +304,7 @@
log.trace(e);
}
return samlResponseDocument;
- }
-
- @SuppressWarnings("unused")
- @Deprecated
- public Document getResponse( String assertionConsumerURL,
- Principal userPrincipal,
- List<String> roles,
- String identityURL,
- Map<String, Object> attribs,
- long assertionValidity, String requestID)
- throws ConfigurationException, IssueInstantMissingException, ProcessingException
- {
- Document samlResponseDocument = null;
-
- if(trace)
- log.trace("AssertionConsumerURL=" + assertionConsumerURL +
- "::assertion validity=" + assertionValidity);
- ResponseType responseType = null;
-
- SAML2Response saml2Response = new SAML2Response();
-
- //Create a response type
- String id = IDGenerator.create("ID_");
-
- IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL);
- issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
-
- IDPInfoHolder idp = new IDPInfoHolder();
- idp.setNameIDFormatValue(userPrincipal.getName());
- idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
-
- SPInfoHolder sp = new SPInfoHolder();
- sp.setResponseDestinationURI(assertionConsumerURL);
- sp.setRequestID(requestID);
- responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
-
- //Add information on the roles
- AssertionType assertion = (AssertionType)
responseType.getAssertions().get(0).getAssertion();
-
- AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
- assertion.addStatement( attrStatement );
-
- /*//Add timed conditions
- saml2Response.createTimedConditions(assertion, assertionValidity);*/
-
- //Add in the attributes information
- if(attribs != null && attribs.size() > 0 )
- {
- AttributeStatementType attStatement =
StatementUtil.createAttributeStatement(attribs);
- assertion.addStatement( attStatement );
- }
-
- //Lets see how the response looks like
- if(log.isTraceEnabled())
- {
- StringWriter sw = new StringWriter();
- try
- {
- saml2Response.marshall(responseType, sw);
- }
- catch ( ProcessingException e)
- {
- log.trace(e);
- }
- log.trace("Response="+sw.toString());
- }
- try
- {
- samlResponseDocument = saml2Response.convert(responseType);
- }
- catch (Exception e)
- {
- e.printStackTrace();
- if(trace)
- log.trace(e);
- }
- return samlResponseDocument;
- }
+ }
}
private class SPAuthenticationHandler
Show replies by date