Author: anil.saldhana(a)jboss.com
Date: 2011-01-03 16:12:33 -0500 (Mon, 03 Jan 2011)
New Revision: 625
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java
Log:
renew token with second SP
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-01-03
21:12:06 UTC (rev 624)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-01-03
21:12:33 UTC (rev 625)
@@ -384,6 +384,8 @@
HANDLER_TYPE.IDP);
saml2HandlerRequest.setRelayState(relayState);
+ String assertionID = (String) session.getSession().getAttribute(
GeneralConstants.ASSERTION_ID );
+
//Set the options on the handler request
Map<String, Object> requestOptions = new HashMap<String,
Object>();
if(this.ignoreIncomingSignatures)
@@ -391,6 +393,8 @@
requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY,
this.assertionValidity);
requestOptions.put(GeneralConstants.CONFIGURATION,
this.idpConfiguration);
+ if( assertionID != null )
+ requestOptions.put(GeneralConstants.ASSERTION_ID, assertionID );
if(this.keyManager != null)
{
Modified:
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java
===================================================================
---
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java 2011-01-03
21:12:06 UTC (rev 624)
+++
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java 2011-01-03
21:12:33 UTC (rev 625)
@@ -187,10 +187,19 @@
SAMLProtocolContext samlProtocolContext = new SAMLProtocolContext();
samlProtocolContext.setSubjectType( subjectType );
samlProtocolContext.setIssuerID(nameIDType);
- sts.issueToken( samlProtocolContext );
- AssertionType assertionType = samlProtocolContext.getIssuedAssertion();
+ AssertionType assertionType = idp.getAssertion();
+ if( assertionType != null )
+ {
+ samlProtocolContext.setIssuedAssertion(assertionType);
+ //renew it
+ sts.renewToken( samlProtocolContext );
+ }
+ else
+ sts.issueToken( samlProtocolContext );
+ assertionType = samlProtocolContext.getIssuedAssertion();
+
/*AssertionType assertionType = SAMLAssertionFactory.createAssertion(id,
nameIDType , issueInstant, (ConditionsType) null, subjectType,
(List<StatementAbstractType>)null );
*/
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java 2011-01-03
21:12:06 UTC (rev 624)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java 2011-01-03
21:12:33 UTC (rev 625)
@@ -22,6 +22,8 @@
package org.picketlink.identity.federation.core.saml.v2.holders;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
/**
@@ -36,6 +38,8 @@
private String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get();
private String nameIDFormatValue;
+ private AssertionType assertion;
+
private int assertionValidityDuration = 5; //5 Minutes
public int getAssertionValidityDuration()
@@ -76,5 +80,21 @@
public void setNameIDFormatValue(String nameIDFormatValue)
{
this.nameIDFormatValue = nameIDFormatValue;
- }
+ }
+
+ public AssertionType getAssertion()
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if( sm != null )
+ sm.checkPermission( PicketLinkCoreSTS.rte );
+ return assertion;
+ }
+
+ public void setAssertion(AssertionType assertion)
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if( sm != null )
+ sm.checkPermission( PicketLinkCoreSTS.rte );
+ this.assertion = assertion;
+ }
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-01-03
21:12:06 UTC (rev 624)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2011-01-03
21:12:33 UTC (rev 625)
@@ -29,6 +29,8 @@
public interface GeneralConstants
{
String ASSERTIONS_VALIDITY = "ASSERTIONS_VALIDITY";
+ String ASSERTION_ID = "ASSERTION_ID";
+ String ASSERTION = "ASSERTION";
String ATTRIBUTES = "ATTRIBUTES";
String ATTRIBUTE_KEYS = "ATTRIBUTE_KEYS";
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-01-03
21:12:06 UTC (rev 624)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java 2011-01-03
21:12:33 UTC (rev 625)
@@ -50,11 +50,11 @@
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
-import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType.STSubType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.EncryptedAssertionType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType;
+import
org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType.STSubType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType;
import
org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType.RTChoiceType;
@@ -142,7 +142,6 @@
{
}
- @SuppressWarnings("unchecked")
public void handleRequestType( SAML2HandlerRequest request,
SAML2HandlerResponse response ) throws ProcessingException
{
@@ -150,22 +149,29 @@
ServletContext servletContext = httpContext.getServletContext();
AuthnRequestType art = (AuthnRequestType) request.getSAML2Object();
+ if( art == null )
+ throw new ProcessingException( "AuthnRequest is null" );
+
+ String destination = art.getAssertionConsumerServiceURL().toASCIIString();
+
HttpSession session = BaseSAML2Handler.getHttpSession(request);
Principal userPrincipal = (Principal)
session.getAttribute(GeneralConstants.PRINCIPAL_ID);
if(userPrincipal == null)
userPrincipal = httpContext.getRequest().getUserPrincipal();
-
- List<String> roles = (List<String>)
session.getAttribute(GeneralConstants.ROLES_ID);
+ /*
+ List<String> roles = (List<String>)
session.getAttribute(GeneralConstants.ROLES_ID);*/
try
{
- Map<String,Object> attribs = (Map<String, Object>)
request.getOptions().get(GeneralConstants.ATTRIBUTES);
+ /*Map<String,Object> attribs = (Map<String, Object>)
request.getOptions().get(GeneralConstants.ATTRIBUTES);
long assertionValidity = (Long)
request.getOptions().get(GeneralConstants.ASSERTIONS_VALIDITY);
String destination = art.getAssertionConsumerServiceURL().toASCIIString();
Document samlResponse = this.getResponse(destination,
userPrincipal, roles, request.getIssuer().getValue(),
attribs,
- assertionValidity, art.getID());
+ assertionValidity, art.getID());*/
+ Document samlResponse = this.getResponse(request);
+
//Update the Identity Server
boolean isPost = httpContext.getRequest().getMethod().equalsIgnoreCase(
"POST" );
IdentityServer identityServer = (IdentityServer)
servletContext.getAttribute(GeneralConstants.IDENTITY_SERVER);
@@ -183,6 +189,105 @@
}
}
+ @SuppressWarnings("unchecked")
+ public Document getResponse( SAML2HandlerRequest request ) throws
ConfigurationException, ProcessingException
+ {
+ HTTPContext httpContext = (HTTPContext) request.getContext();
+ AuthnRequestType art = (AuthnRequestType) request.getSAML2Object();
+ HttpSession session = BaseSAML2Handler.getHttpSession(request);
+ Principal userPrincipal = (Principal)
session.getAttribute(GeneralConstants.PRINCIPAL_ID);
+ if(userPrincipal == null)
+ userPrincipal = httpContext.getRequest().getUserPrincipal();
+
+ String assertionConsumerURL =
art.getAssertionConsumerServiceURL().toASCIIString();
+ List<String> roles = (List<String>)
session.getAttribute(GeneralConstants.ROLES_ID);
+ String identityURL = request.getIssuer().getValue();
+ Map<String, Object> attribs = (Map<String, Object>)
request.getOptions().get(GeneralConstants.ATTRIBUTES);
+ long assertionValidity = (Long)
request.getOptions().get(GeneralConstants.ASSERTIONS_VALIDITY);
+ String requestID = art.getID();
+
+ Document samlResponseDocument = null;
+
+ if(trace)
+ log.trace("AssertionConsumerURL=" + assertionConsumerURL +
+ "::assertion validity=" + assertionValidity);
+ ResponseType responseType = null;
+
+ SAML2Response saml2Response = new SAML2Response();
+
+ //Create a response type
+ String id = IDGenerator.create("ID_");
+
+ IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL);
+ issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
+
+ IDPInfoHolder idp = new IDPInfoHolder();
+ idp.setNameIDFormatValue(userPrincipal.getName());
+ idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
+
+ String assertionID = (String) session.getAttribute(
GeneralConstants.ASSERTION_ID );
+
+ if( assertionID != null )
+ {
+ //Just renew the assertion
+ AssertionType latestAssertion = (AssertionType) session.getAttribute(
GeneralConstants.ASSERTION );
+ if( latestAssertion != null )
+ idp.setAssertion( latestAssertion );
+ }
+
+ SPInfoHolder sp = new SPInfoHolder();
+ sp.setResponseDestinationURI(assertionConsumerURL);
+ sp.setRequestID(requestID);
+ responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
+
+ //Add information on the roles
+ AssertionType assertion = (AssertionType)
responseType.getAssertions().get(0).getAssertion();
+
+ AttributeStatementType attrStatement =
StatementUtil.createAttributeStatement(roles);
+ assertion.addStatement( attrStatement );
+
+ /*//Add timed conditions
+ saml2Response.createTimedConditions(assertion, assertionValidity);*/
+
+ //Add in the attributes information
+ if(attribs != null && attribs.size() > 0 )
+ {
+ AttributeStatementType attStatement =
StatementUtil.createAttributeStatement(attribs);
+ assertion.addStatement( attStatement );
+ }
+
+ //Add assertion to the session
+ session.setAttribute( GeneralConstants.ASSERTION, assertion );
+
+ //Lets see how the response looks like
+ if(log.isTraceEnabled())
+ {
+ StringWriter sw = new StringWriter();
+ try
+ {
+ saml2Response.marshall(responseType, sw);
+ }
+ catch ( ProcessingException e)
+ {
+ log.trace(e);
+ }
+ log.trace("Response="+sw.toString());
+ }
+ try
+ {
+ samlResponseDocument = saml2Response.convert(responseType);
+ }
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ if(trace)
+ log.trace(e);
+ }
+ return samlResponseDocument;
+ }
+
+ @SuppressWarnings("unused")
+ @Deprecated
public Document getResponse( String assertionConsumerURL,
Principal userPrincipal,
List<String> roles,
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java 2011-01-03
21:12:06 UTC (rev 624)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java 2011-01-03
21:12:33 UTC (rev 625)
@@ -35,6 +35,7 @@
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
+import org.picketlink.identity.federation.core.saml.v2.common.SAMLProtocolContext;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
@@ -42,6 +43,8 @@
import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
+import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.LogoutRequestType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.newmodel.saml.v2.protocol.StatusCodeType;
@@ -172,7 +175,16 @@
String nextParticipant = this.getParticipant(server, sessionID, relayState);
if(nextParticipant == null || nextParticipant.equals(relayState))
{
- //we are done with logout
+ //we are done with logout - First ask STS to cancel the token
+ AssertionType assertion = (AssertionType) httpSession.getAttribute(
GeneralConstants.ASSERTION );
+ if( assertion != null )
+ {
+ PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
+ SAMLProtocolContext samlProtocolContext = new SAMLProtocolContext();
+ samlProtocolContext.setIssuedAssertion( assertion );
+ sts.cancelToken(samlProtocolContext);
+ httpSession.removeAttribute( GeneralConstants.ASSERTION );
+ }
//TODO: check the in transit map for partial logouts