Author: anil.saldhana(a)jboss.com Date: 2011-07-06 10:45:20 -0400 (Wed, 06 Jul 2011) New Revision: 1067 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/parsers/saml/SAML11ResponseParser.java Log: PLFED-189: Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-07-06 14:44:27 UTC (rev 1066) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-07-06 14:45:20 UTC (rev 1067) @@ -23,6 +23,8 @@ import static org.picketlink.identity.federation.core.util.StringUtil.isNotNull; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -38,6 +40,7 @@ import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; +import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import javax.xml.crypto.dsig.CanonicalizationMethod; @@ -68,6 +71,10 @@ import org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException; import org.picketlink.identity.federation.core.interfaces.TrustKeyManager; import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException; +import org.picketlink.identity.federation.core.saml.v1.SAML11Constants; +import org.picketlink.identity.federation.core.saml.v1.SAML11ProtocolContext; +import org.picketlink.identity.federation.core.saml.v1.writers.SAML11ResponseWriter; +import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator; import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder; import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; import org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException; @@ -82,12 +89,19 @@ import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChainConfig; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; +import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil; +import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil; import org.picketlink.identity.federation.core.saml.v2.util.HandlerUtil; +import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil; import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS; import org.picketlink.identity.federation.core.util.CoreConfigUtil; +import org.picketlink.identity.federation.core.util.StaxUtil; import org.picketlink.identity.federation.core.util.StringUtil; import org.picketlink.identity.federation.core.util.SystemPropertiesUtil; import org.picketlink.identity.federation.core.util.XMLSignatureUtil; +import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType; +import org.picketlink.identity.federation.saml.v1.protocol.SAML11ResponseType; +import org.picketlink.identity.federation.saml.v1.protocol.SAML11StatusType; import org.picketlink.identity.federation.saml.v2.SAML2Object; import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType; import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType; @@ -341,7 +355,20 @@ else { //TODO: PLFED-193 - log.error("No SAML Request or Response Message"); + String target = request.getParameter(SAML11Constants.TARGET); + if (isNotNull(target)) + { + //We have SAML 1.1 IDP first scenario. Now we need to create a SAMLResponse and send back + //to SP as per target + handleSAML11(webRequestUtil, request, response); + } + else + { + //Send it to the hosted page + RequestDispatcher dispatch = request.getRequestDispatcher("/hosted/"); + dispatch.forward(request, response); + } + /*log.error("No SAML Request or Response Message"); if (trace) log.trace("Referer=" + referer); @@ -353,9 +380,57 @@ { if (trace) log.trace(e); + }*/ + } + } + } + + protected void handleSAML11(IDPWebRequestUtil webRequestUtil, Request request, Response response) + throws ServletException, IOException + { + try + { + String target = request.getParameter(SAML11Constants.TARGET); + + Session session = request.getSessionInternal(); + SAML11AssertionType saml11Assertion = (SAML11AssertionType) session.getNote("SAML11"); + if (saml11Assertion == null) + { + SAML11ProtocolContext saml11Protocol = new SAML11ProtocolContext(); + PicketLinkCoreSTS.instance().issueToken(saml11Protocol); + saml11Assertion = saml11Protocol.getIssuedAssertion(); + session.setNote("SAML11", saml11Assertion); + + if (AssertionUtil.hasExpired(saml11Assertion)) + { + saml11Protocol.setIssuedAssertion(saml11Assertion); + PicketLinkCoreSTS.instance().renewToken(saml11Protocol); + saml11Assertion = saml11Protocol.getIssuedAssertion(); + session.setNote("SAML11", saml11Assertion); } } + //Send it as SAMLResponse + String id = IDGenerator.create("ID_"); + SAML11ResponseType saml11Response = new SAML11ResponseType(id, XMLTimeUtil.getIssueInstant()); + saml11Response.add(saml11Assertion); + saml11Response.setStatus(SAML11StatusType.successType()); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + SAML11ResponseWriter writer = new SAML11ResponseWriter(StaxUtil.getXMLStreamWriter(baos)); + writer.write(saml11Response); + + Document samlResponse = DocumentUtil.getDocument(new ByteArrayInputStream(baos.toByteArray())); + + WebRequestUtilHolder holder = webRequestUtil.getHolder(); + holder.setResponseDoc(samlResponse).setDestination(target).setRelayState("").setAreWeSendingRequest(false) + .setPrivateKey(null).setSupportSignature(false).setServletResponse(response); + webRequestUtil.send(holder); } + catch (GeneralSecurityException e) + { + log.error("Exception handling saml 11 use case:", e); + throw new ServletException(); + } } protected void processSAMLRequestMessage(IDPWebRequestUtil webRequestUtil, Request request, Response response) Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java 2011-07-06 14:44:27 UTC (rev 1066) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java 2011-07-06 14:45:20 UTC (rev 1067) @@ -26,7 +26,7 @@ import javax.xml.namespace.QName; import org.picketlink.identity.federation.core.exceptions.ProcessingException; -import org.picketlink.identity.federation.core.wstrust.WSTrustException; +import org.picketlink.identity.federation.core.wstrust.WSTrustException; /** * <p> @@ -41,11 +41,10 @@ * An enumeration that identifies the family to which * the security token provider belongs */ - public enum FAMILY_TYPE - { - SAML2, WS_TRUST,OPENID,OAUTH, CUSTOM; + public enum FAMILY_TYPE { + SAML2, SAML11, WS_TRUST, OPENID, OAUTH, CUSTOM; } - + /** * <p> * Initializes the {@code SecurityTokenProvider} using the specified properties map. @@ -55,27 +54,26 @@ * this {@code SecurityTokenProvider}. */ public void initialize(Map<String, String> properties); - + /** * Specify whether this token provider supports a particular namespace * @param namespace a string value representing a namespace * @return */ - public boolean supports( String namespace ); - + public boolean supports(String namespace); + /** * Token Type * @return */ public String tokenType(); - + /** * Provide an optional {@code QName} for configuration * @return */ public QName getSupportedQName(); - - + /** * The family where this security token provider belongs * @see {@code FAMILY_TYPE}} @@ -92,7 +90,7 @@ * @param context the {@code ProtocolContext} to be used when generating the token. * @throws WSTrustException if an error occurs while creating the security token. */ - public void issueToken( ProtocolContext context) throws ProcessingException; + public void issueToken(ProtocolContext context) throws ProcessingException; /** * <p> @@ -103,7 +101,7 @@ * @param context the {@code ProtocolContext} that contains the token to be renewed. * @throws WSTrustException if an error occurs while renewing the security token. */ - public void renewToken( ProtocolContext context) throws ProcessingException; + public void renewToken(ProtocolContext context) throws ProcessingException; /** * <p> @@ -114,7 +112,7 @@ * @param context the {@code ProtocolContext} that contains the token to be canceled. * @throws WSTrustException if an error occurs while canceling the security token. */ - public void cancelToken( ProtocolContext context) throws ProcessingException; + public void cancelToken(ProtocolContext context) throws ProcessingException; /** * <p> @@ -125,5 +123,5 @@ * @param context the {@code ProtocolContext} that contains the token to be validated. * @throws WSTrustException if an error occurs while validating the security token. */ - public void validateToken( ProtocolContext context) throws ProcessingException; + public void validateToken(ProtocolContext context) throws ProcessingException; } \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/parsers/saml/SAML11ResponseParser.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/parsers/saml/SAML11ResponseParser.java 2011-07-06 14:44:27 UTC (rev 1066) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/parsers/saml/SAML11ResponseParser.java 2011-07-06 14:45:20 UTC (rev 1067) @@ -124,7 +124,7 @@ QName startElementName = startElement.getName(); String elementTag = startElementName.getLocalPart(); - SAML11StatusCodeType statusCode = new SAML11StatusCodeType(); + SAML11StatusCodeType statusCode = null; if (JBossSAMLConstants.STATUS_CODE.get().equals(elementTag)) { @@ -134,7 +134,7 @@ Attribute valueAttr = startElement.getAttributeByName(new QName("Value")); if (valueAttr != null) { - statusCode.setValue(new QName(StaxParserUtil.getAttributeValue(valueAttr))); + statusCode = new SAML11StatusCodeType(new QName(StaxParserUtil.getAttributeValue(valueAttr))); } status.setStatusCode(statusCode); @@ -143,12 +143,13 @@ elementTag = startElement.getName().getLocalPart(); if (JBossSAMLConstants.STATUS_CODE.get().equals(elementTag)) { - SAML11StatusCodeType subStatusCodeType = new SAML11StatusCodeType(); + SAML11StatusCodeType subStatusCodeType = null; startElement = StaxParserUtil.getNextStartElement(xmlEventReader); Attribute subValueAttr = startElement.getAttributeByName(new QName("Value")); if (subValueAttr != null) { - subStatusCodeType.setValue(new QName(StaxParserUtil.getAttributeValue(subValueAttr))); + subStatusCodeType = new SAML11StatusCodeType( + new QName(StaxParserUtil.getAttributeValue(subValueAttr))); } statusCode.setStatusCode(subStatusCodeType);