Picketlink SVN: r1035 - in federation/trunk: picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util and 2 other directories.
4:56 p.m.
Author: anil.saldhana(a)jboss.com
Date: 2011-06-24 17:56:04 -0400 (Fri, 24 Jun 2011)
New Revision: 1035
Added:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/SAML11AssertionWriter.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML11TokenProvider.java
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SecurityActions.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/BaseWriter.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAMLUtil.java
Log:
wst saml11 token provider
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java
===================================================================
---
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java 2011-06-24
19:10:12 UTC (rev 1034)
+++
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML20TokenRoleAttributeProvider.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -8,11 +8,10 @@
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
-import org.jboss.security.SecurityContextAssociation;
import
org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenAttributeProvider;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import
org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
-import
org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
/**
* <p>
@@ -45,12 +44,12 @@
public class SAML20TokenRoleAttributeProvider implements SAML20TokenAttributeProvider
{
private static Logger logger =
Logger.getLogger(SAML20TokenRoleAttributeProvider.class);
-
+
/**
* The name of the principal in JBoss that is expected to include user roles
*/
public static final String JBOSS_ROLE_PRINCIPAL_NAME = "Roles";
-
+
/**
* The default attribute name in the SAML Token that will carry the user's roles,
if not configured otherwise
*/
@@ -60,12 +59,12 @@
* The name of the attribute in the SAML Token that will carry the user's roles
*/
private String tokenRoleAttributeName;
-
+
public void setProperties(Map<String, String> properties)
{
String roleAttrKey = this.getClass().getName() +
".tokenRoleAttributeName";
tokenRoleAttributeName = properties.get(roleAttrKey);
- if( tokenRoleAttributeName == null )
+ if (tokenRoleAttributeName == null)
{
tokenRoleAttributeName = DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME;
}
@@ -73,8 +72,8 @@
public AttributeStatementType getAttributeStatement()
{
- Subject subject =
SecurityContextAssociation.getSecurityContext().getSubjectInfo().getAuthenticatedSubject();
- if( subject == null )
+ Subject subject =
SecurityActions.getSecurityContext().getSubjectInfo().getAuthenticatedSubject();
+ if (subject == null)
{
if (logger.isDebugEnabled())
logger.debug("No authentication Subject found, cannot provide any user
roles!");
@@ -82,28 +81,29 @@
}
else
{
- AttributeStatementType attributeStatement = new AttributeStatementType();
- AttributeType rolesAttribute = new AttributeType( tokenRoleAttributeName );
- attributeStatement.addAttribute( new ASTChoiceType(rolesAttribute) );
-
- //List<Object> roles = rolesAttribute.getAttributeValue();
- for( Principal rolePrincipal : subject.getPrincipals() )
- {
- if( JBOSS_ROLE_PRINCIPAL_NAME.equalsIgnoreCase( rolePrincipal.getName() )
)
- {
- Group simpleGroup = (Group)rolePrincipal;
- Enumeration<? extends Principal> members =
simpleGroup.members();
- while( members.hasMoreElements() )
- {
- Principal role = (Principal)members.nextElement();
- rolesAttribute.addAttributeValue( role.getName() );
- //roles.add( role.getName() );
- }
- }
- }
- if (logger.isDebugEnabled())
- logger.debug("Returning an AttributeStatement with a [" +
tokenRoleAttributeName + "] attribute containing: " +
rolesAttribute.getAttributeValue());
- return attributeStatement;
+ AttributeStatementType attributeStatement = new AttributeStatementType();
+ AttributeType rolesAttribute = new AttributeType(tokenRoleAttributeName);
+ attributeStatement.addAttribute(new ASTChoiceType(rolesAttribute));
+
+ //List<Object> roles = rolesAttribute.getAttributeValue();
+ for (Principal rolePrincipal : subject.getPrincipals())
+ {
+ if (JBOSS_ROLE_PRINCIPAL_NAME.equalsIgnoreCase(rolePrincipal.getName()))
+ {
+ Group simpleGroup = (Group) rolePrincipal;
+ Enumeration<? extends Principal> members = simpleGroup.members();
+ while (members.hasMoreElements())
+ {
+ Principal role = members.nextElement();
+ rolesAttribute.addAttributeValue(role.getName());
+ //roles.add( role.getName() );
+ }
+ }
+ }
+ if (logger.isDebugEnabled())
+ logger.debug("Returning an AttributeStatement with a [" +
tokenRoleAttributeName
+ + "] attribute containing: " +
rolesAttribute.getAttributeValue());
+ return attributeStatement;
}
}
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SecurityActions.java
===================================================================
---
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SecurityActions.java 2011-06-24
19:10:12 UTC (rev 1034)
+++
federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SecurityActions.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -27,6 +27,7 @@
import java.security.PrivilegedExceptionAction;
import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
/**
@@ -37,6 +38,17 @@
*/
class SecurityActions
{
+ static SecurityContext getSecurityContext()
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<SecurityContext>()
+ {
+ public SecurityContext run()
+ {
+ return SecurityContextAssociation.getSecurityContext();
+ }
+ });
+ }
+
static SecurityContext createSecurityContext() throws PrivilegedActionException
{
return AccessController.doPrivileged(new
PrivilegedExceptionAction<SecurityContext>()
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java 2011-06-24
19:10:12 UTC (rev 1034)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/AssertionUtil.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -36,6 +36,7 @@
import org.picketlink.identity.federation.core.saml.v2.writers.SAMLAssertionWriter;
import org.picketlink.identity.federation.core.util.StaxUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import
org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
@@ -80,6 +81,19 @@
* @param issuer
* @return
*/
+ public static SAML11AssertionType createSAML11Assertion(String id,
XMLGregorianCalendar issueInstant, String issuer)
+ {
+ SAML11AssertionType assertion = new SAML11AssertionType(id, issueInstant);
+ assertion.setIssuer(issuer);
+ return assertion;
+ }
+
+ /**
+ * Create an assertion
+ * @param id
+ * @param issuer
+ * @return
+ */
public static AssertionType createAssertion(String id, NameIDType issuer)
{
XMLGregorianCalendar issueInstant = null;
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/BaseWriter.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/BaseWriter.java 2011-06-24
19:10:12 UTC (rev 1034)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/BaseWriter.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -36,7 +36,7 @@
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.util.StaxUtil;
-import org.picketlink.identity.federation.core.util.StringUtil;
+import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
import org.picketlink.identity.federation.saml.v2.metadata.LocalizedNameType;
@@ -49,18 +49,22 @@
public class BaseWriter
{
protected static String PROTOCOL_PREFIX = "samlp";
+
protected static String ASSERTION_PREFIX = "saml";
+
protected static String XACML_SAML_PREFIX = "xacml-saml";
+
protected static String XACML_SAML_PROTO_PREFIX = "xacml-samlp";
+
protected static String XSI_PREFIX = "xsi";
-
- protected XMLStreamWriter writer = null;
-
+
+ protected XMLStreamWriter writer = null;
+
public BaseWriter(XMLStreamWriter writer) throws ProcessingException
{
this.writer = writer;
}
-
+
/**
* Write {@code NameIDType} to stream
* @param nameIDType
@@ -68,44 +72,44 @@
* @param out
* @throws ProcessingException
*/
- public void write( NameIDType nameIDType, QName tag ) throws ProcessingException
+ public void write(NameIDType nameIDType, QName tag) throws ProcessingException
{
- StaxUtil.writeStartElement( writer, tag.getPrefix(), tag.getLocalPart() ,
tag.getNamespaceURI() );
-
+ StaxUtil.writeStartElement(writer, tag.getPrefix(), tag.getLocalPart(),
tag.getNamespaceURI());
+
URI format = nameIDType.getFormat();
- if( format != null )
+ if (format != null)
{
- StaxUtil.writeAttribute( writer, JBossSAMLConstants.FORMAT.get(),
format.toASCIIString() );
- }
-
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.FORMAT.get(),
format.toASCIIString());
+ }
+
String spProvidedID = nameIDType.getSPProvidedID();
- if( StringUtil.isNotNull( spProvidedID ))
+ if (StringUtil.isNotNull(spProvidedID))
{
- StaxUtil.writeAttribute( writer, JBossSAMLConstants.SP_PROVIDED_ID.get(),
spProvidedID );
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.SP_PROVIDED_ID.get(),
spProvidedID);
}
-
+
String spNameQualifier = nameIDType.getSPNameQualifier();
- if( StringUtil.isNotNull( spNameQualifier ))
+ if (StringUtil.isNotNull(spNameQualifier))
{
- StaxUtil.writeAttribute( writer, JBossSAMLConstants.SP_NAME_QUALIFIER.get(),
spNameQualifier );
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.SP_NAME_QUALIFIER.get(),
spNameQualifier);
}
-
+
String nameQualifier = nameIDType.getNameQualifier();
- if( StringUtil.isNotNull( nameQualifier ))
+ if (StringUtil.isNotNull(nameQualifier))
{
- StaxUtil.writeAttribute( writer, JBossSAMLConstants.NAME_QUALIFIER.get(),
nameQualifier );
- }
-
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.NAME_QUALIFIER.get(),
nameQualifier);
+ }
+
String value = nameIDType.getValue();
- if( StringUtil.isNotNull( value ))
+ if (StringUtil.isNotNull(value))
{
- StaxUtil.writeCharacters( writer, value );
+ StaxUtil.writeCharacters(writer, value);
}
-
- StaxUtil.writeEndElement( writer);
- StaxUtil.flush( writer );
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
}
-
+
/**
* Write an {@code AttributeType} to stream
*
@@ -117,13 +121,13 @@
{
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.ATTRIBUTE.get(), ASSERTION_NSURI.get());
- writeAttributeTypeWithoutRootTag(attributeType);
-
+ writeAttributeTypeWithoutRootTag(attributeType);
+
StaxUtil.writeEndElement(writer);
StaxUtil.flush(writer);
}
-
- public void writeAttributeTypeWithoutRootTag( AttributeType attributeType ) throws
ProcessingException
+
+ public void writeAttributeTypeWithoutRootTag(AttributeType attributeType) throws
ProcessingException
{
String attributeName = attributeType.getName();
if (attributeName != null)
@@ -171,32 +175,34 @@
{
if (attributeValue instanceof String)
{
- writeStringAttributeValue( (String) attributeValue );
+ writeStringAttributeValue((String) attributeValue);
}
else
throw new RuntimeException("Unsupported attribute value:" +
attributeValue.getClass().getName());
}
}
}
-
- public void writeStringAttributeValue( String attributeValue ) throws
ProcessingException
+
+ public void writeStringAttributeValue(String attributeValue) throws
ProcessingException
{
- StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.ATTRIBUTE_VALUE.get(), ASSERTION_NSURI.get());
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.ATTRIBUTE_VALUE.get(),
+ ASSERTION_NSURI.get());
StaxUtil.writeNameSpace(writer, JBossSAMLURIConstants.XSI_PREFIX.get(),
JBossSAMLURIConstants.XSI_NSURI.get());
StaxUtil.writeNameSpace(writer, "xs",
JBossSAMLURIConstants.XMLSCHEMA_NSURI.get());
StaxUtil.writeAttribute(writer, JBossSAMLURIConstants.XSI_NSURI.get(),
"type", "xs:string");
- StaxUtil.writeCharacters(writer, attributeValue );
+ StaxUtil.writeCharacters(writer, attributeValue);
StaxUtil.writeEndElement(writer);
}
-
-
- public void writeLocalizedNameType( LocalizedNameType localizedNameType, QName
startElement ) throws ProcessingException
+ public void writeLocalizedNameType(LocalizedNameType localizedNameType, QName
startElement)
+ throws ProcessingException
{
- StaxUtil.writeStartElement(writer, startElement.getPrefix(),
startElement.getLocalPart(), startElement.getNamespaceURI() );
- StaxUtil.writeAttribute(writer, new QName( JBossSAMLURIConstants.XML.get(),
"lang", "xml" ), localizedNameType.getLang() );
- StaxUtil.writeCharacters(writer, localizedNameType.getValue() );
+ StaxUtil.writeStartElement(writer, startElement.getPrefix(),
startElement.getLocalPart(),
+ startElement.getNamespaceURI());
+ StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XML.get(),
"lang", "xml"),
+ localizedNameType.getLang());
+ StaxUtil.writeCharacters(writer, localizedNameType.getValue());
StaxUtil.writeEndElement(writer);
}
}
\ No newline at end of file
Added:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/SAML11AssertionWriter.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/SAML11AssertionWriter.java
(rev 0)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/writers/SAML11AssertionWriter.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -0,0 +1,472 @@
+/*
+ * JBoss, Home of Professional Open Source. Copyright 2008, Red Hat Middleware LLC, and
individual contributors as
+ * indicated by the @author tags. See the copyright.txt file in the distribution for a
full listing of individual
+ * contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the terms of the
GNU Lesser General Public
+ * License as published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any
+ * later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied
+ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License along with
this software; if not, write to
+ * the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA, or see the FSF site:
+ * http://www.fsf.org.
+ */
+package org.picketlink.identity.federation.core.saml.v2.writers;
+
+import static
org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants.ASSERTION_NSURI;
+
+import java.net.URI;
+import java.util.List;
+import java.util.Set;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.saml.v1.SAML11Constants;
+import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
+import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.picketlink.identity.federation.core.util.StaxUtil;
+import org.picketlink.identity.federation.core.util.StringUtil;
+import org.picketlink.identity.federation.core.wstrust.WSTrustConstants;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11AdviceType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
+import
org.picketlink.identity.federation.saml.v1.assertion.SAML11AttributeStatementType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11AttributeType;
+import
org.picketlink.identity.federation.saml.v1.assertion.SAML11AudienceRestrictionCondition;
+import
org.picketlink.identity.federation.saml.v1.assertion.SAML11AuthenticationStatementType;
+import
org.picketlink.identity.federation.saml.v1.assertion.SAML11AuthorizationDecisionStatementType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11ConditionAbstractType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11ConditionsType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11NameIdentifierType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11StatementAbstractType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11SubjectType;
+import
org.picketlink.identity.federation.saml.v1.assertion.SAML11SubjectType.SAML11SubjectTypeChoice;
+import org.picketlink.identity.federation.saml.v2.assertion.AuthnContextClassRefType;
+import org.picketlink.identity.federation.saml.v2.assertion.AuthnContextDeclRefType;
+import org.picketlink.identity.federation.saml.v2.assertion.AuthnContextDeclType;
+import org.picketlink.identity.federation.saml.v2.assertion.AuthnContextType;
+import
org.picketlink.identity.federation.saml.v2.assertion.AuthnContextType.AuthnContextTypeSequence;
+import org.picketlink.identity.federation.saml.v2.assertion.BaseIDAbstractType;
+import org.picketlink.identity.federation.saml.v2.assertion.KeyInfoConfirmationDataType;
+import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationDataType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationType;
+import org.picketlink.identity.federation.saml.v2.assertion.URIType;
+import
org.picketlink.identity.federation.saml.v2.profiles.xacml.assertion.XACMLAuthzDecisionStatementType;
+import org.picketlink.identity.xmlsec.w3.xmldsig.KeyInfoType;
+import org.picketlink.identity.xmlsec.w3.xmldsig.X509CertificateType;
+import org.picketlink.identity.xmlsec.w3.xmldsig.X509DataType;
+import org.w3c.dom.Element;
+
+/**
+ * Write the SAML 11 Assertion to stream
+ *
+ * @author Anil.Saldhana(a)redhat.com
+ * @since June 24, 2011
+ */
+public class SAML11AssertionWriter extends BaseWriter
+{
+ public SAML11AssertionWriter(XMLStreamWriter writer) throws ProcessingException
+ {
+ super(writer);
+ }
+
+ /**
+ * Write an {@code SAML11AssertionType} to stream
+ *
+ * @param assertion
+ * @param out
+ * @throws ProcessingException
+ */
+ public void write(SAML11AssertionType assertion) throws ProcessingException
+ {
+ String ns = SAML11Constants.ASSERTION_11_NSURI;
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.ASSERTION.get(), ns);
+ StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ns);
+ StaxUtil.writeDefaultNameSpace(writer, ns);
+
+ // Attributes
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), assertion.getID());
+ StaxUtil.writeAttribute(writer, SAML11Constants.MAJOR_VERSION,
assertion.getMajorVersion() + "");
+ StaxUtil.writeAttribute(writer, SAML11Constants.MINOR_VERSION,
assertion.getMinorVersion() + "");
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(),
assertion.getIssueInstant().toString());
+
+ String issuer = assertion.getIssuer();
+ if (issuer != null)
+ {
+ StaxUtil.writeAttribute(writer, SAML11Constants.ISSUER, issuer);
+ }
+
+ SAML11ConditionsType conditions = assertion.getConditions();
+ if (conditions != null)
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.CONDITIONS.get(), ns);
+
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(),
conditions.getNotBefore().toString());
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(),
conditions.getNotOnOrAfter()
+ .toString());
+
+ List<SAML11ConditionAbstractType> typeOfConditions = conditions.get();
+ if (typeOfConditions != null)
+ {
+ for (SAML11ConditionAbstractType typeCondition : typeOfConditions)
+ {
+ if (typeCondition instanceof SAML11AudienceRestrictionCondition)
+ {
+ SAML11AudienceRestrictionCondition art =
(SAML11AudienceRestrictionCondition) typeCondition;
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
SAML11Constants.AUDIENCE_RESTRICTION_CONDITION,
+ ns);
+ List<URI> audiences = art.get();
+ if (audiences != null)
+ {
+ for (URI audience : audiences)
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.AUDIENCE.get(), ns);
+ StaxUtil.writeCharacters(writer, audience.toString());
+ StaxUtil.writeEndElement(writer);
+ }
+ }
+
+ StaxUtil.writeEndElement(writer);
+ }
+ }
+ }
+
+ StaxUtil.writeEndElement(writer);
+ }
+
+ SAML11AdviceType advice = assertion.getAdvice();
+ if (advice != null)
+ throw new RuntimeException("Advice needs to be handled");
+
+ List<SAML11StatementAbstractType> statements = assertion.getStatements();
+ if (statements != null)
+ {
+ for (SAML11StatementAbstractType statement : statements)
+ {
+ if (statement instanceof SAML11AuthenticationStatementType)
+ {
+ write((SAML11AuthenticationStatementType) statement);
+ }
+ else if (statement instanceof SAML11AttributeStatementType)
+ {
+ write((SAML11AttributeStatementType) statement);
+ }
+ else if (statement instanceof SAML11AuthorizationDecisionStatementType)
+ {
+ write((SAML11AuthorizationDecisionStatementType) statement);
+ }
+ else
+ throw new RuntimeException("unknown statement type=" +
statement.getClass().getName());
+ }
+ }
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ /**
+ * Write an {@code StatementAbstractType} to stream
+ *
+ * @param statement
+ * @param out
+ * @throws ProcessingException
+ */
+ public void write(StatementAbstractType statement) throws ProcessingException
+ {
+ // TODO: handle this section
+ throw new RuntimeException("NYI");
+ }
+
+ public void write(SAML11AttributeStatementType statement) throws ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.ATTRIBUTE_STATEMENT.get(),
+ SAML11Constants.ASSERTION_11_NSURI);
+
+ List<SAML11AttributeType> attributes = statement.get();
+ if (attributes != null)
+ {
+ for (SAML11AttributeType attr : attributes)
+ {
+ throw new RuntimeException("NYI");
+ }
+ }
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ /**
+ * Write an {@code AuthnStatementType} to stream
+ *
+ * @param authnStatement
+ * @param out
+ * @throws ProcessingException
+ */
+ public void write(SAML11AuthenticationStatementType authnStatement) throws
ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.AUTHN_STATEMENT.get(),
+ SAML11Constants.ASSERTION_11_NSURI);
+
+ XMLGregorianCalendar authnInstant = authnStatement.getAuthenticationInstant();
+ if (authnInstant != null)
+ {
+ StaxUtil.writeAttribute(writer, SAML11Constants.AUTHENTICATION_INSTANT,
authnInstant.toString());
+ }
+
+ URI authMethod = authnStatement.getAuthenticationMethod();
+ if (authMethod != null)
+ {
+ StaxUtil.writeAttribute(writer, SAML11Constants.AUTHENTICATION_METHOD,
authMethod.toString());
+ }
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ public void write(SAML11AuthorizationDecisionStatementType xacmlStat) throws
ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.STATEMENT.get(), ASSERTION_NSURI.get());
+
+ StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
+ StaxUtil.writeNameSpace(writer, XACML_SAML_PREFIX,
JBossSAMLURIConstants.XACML_SAML_NSURI.get());
+ StaxUtil.writeNameSpace(writer, XACML_SAML_PROTO_PREFIX,
JBossSAMLURIConstants.XACML_SAML_PROTO_NSURI.get());
+ StaxUtil.writeNameSpace(writer, XSI_PREFIX,
JBossSAMLURIConstants.XSI_NSURI.get());
+
+ StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XSI_NSURI.get(),
JBossSAMLConstants.TYPE.get(),
+ XSI_PREFIX), XACMLAuthzDecisionStatementType.XSI_TYPE);
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ /**
+ * Write an {@code AuthnContextType} to stream
+ *
+ * @param authContext
+ * @param out
+ * @throws ProcessingException
+ */
+ public void write(AuthnContextType authContext) throws ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.AUTHN_CONTEXT.get(),
+ ASSERTION_NSURI.get());
+
+ AuthnContextTypeSequence sequence = authContext.getSequence();
+ if (sequence != null)
+ {
+ AuthnContextClassRefType authnContextClassRefType = sequence.getClassRef();
+ if (authnContextClassRefType != null)
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.AUTHN_CONTEXT_CLASS_REF.get(),
+ ASSERTION_NSURI.get());
+ StaxUtil.writeCharacters(writer,
authnContextClassRefType.getValue().toASCIIString());
+ StaxUtil.writeEndElement(writer);
+ }
+
+ Set<URIType> uriTypes = sequence.getURIType();
+ if (uriTypes != null)
+ {
+ for (URIType uriType : uriTypes)
+ {
+ if (uriType instanceof AuthnContextDeclType)
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
+ JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION.get(),
ASSERTION_NSURI.get());
+ StaxUtil.writeCharacters(writer, uriType.getValue().toASCIIString());
+ StaxUtil.writeEndElement(writer);
+ }
+ if (uriType instanceof AuthnContextDeclRefType)
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
+ JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION_REF.get(),
ASSERTION_NSURI.get());
+ StaxUtil.writeCharacters(writer, uriType.getValue().toASCIIString());
+ StaxUtil.writeEndElement(writer);
+ }
+ }
+ }
+ }
+
+ Set<URI> authAuthorities = authContext.getAuthenticatingAuthority();
+ if (authAuthorities != null)
+ {
+ for (URI aa : authAuthorities)
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.AUTHENTICATING_AUTHORITY.get(),
+ ASSERTION_NSURI.get());
+ StaxUtil.writeCharacters(writer, aa.toASCIIString());
+ StaxUtil.writeEndElement(writer);
+ }
+ }
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ /**
+ * write an {@code SubjectType} to stream
+ *
+ * @param subject
+ * @param out
+ * @throws ProcessingException
+ */
+ public void write(SAML11SubjectType subject) throws ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.SUBJECT.get(),
+ SAML11Constants.ASSERTION_11_NSURI);
+
+ SAML11SubjectTypeChoice choice = subject.getChoice();
+ if (choice != null)
+ {
+ SAML11NameIdentifierType nameid = choice.getNameID();
+ if (nameid != null)
+ {
+ write(nameid);
+ }
+ }
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ private void write(BaseIDAbstractType baseId) throws ProcessingException
+ {
+ throw new RuntimeException("NYI");
+ }
+
+ private void write(SubjectConfirmationType subjectConfirmationType) throws
ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.SUBJECT_CONFIRMATION.get(),
+ ASSERTION_NSURI.get());
+
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.METHOD.get(),
subjectConfirmationType.getMethod());
+
+ BaseIDAbstractType baseID = subjectConfirmationType.getBaseID();
+ if (baseID != null)
+ {
+ write(baseID);
+ }
+ NameIDType nameIDType = subjectConfirmationType.getNameID();
+ if (nameIDType != null)
+ {
+ write(nameIDType, new QName(ASSERTION_NSURI.get(),
JBossSAMLConstants.NAMEID.get(), ASSERTION_PREFIX));
+ }
+ SubjectConfirmationDataType subjectConfirmationData =
subjectConfirmationType.getSubjectConfirmationData();
+ if (subjectConfirmationData != null)
+ {
+ write(subjectConfirmationData);
+ }
+ StaxUtil.writeEndElement(writer);
+ }
+
+ private void write(SubjectConfirmationDataType subjectConfirmationData) throws
ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get(),
+ ASSERTION_NSURI.get());
+
+ // Let us look at attributes
+ String inResponseTo = subjectConfirmationData.getInResponseTo();
+ if (StringUtil.isNotNull(inResponseTo))
+ {
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.IN_RESPONSE_TO.get(),
inResponseTo);
+ }
+
+ XMLGregorianCalendar notBefore = subjectConfirmationData.getNotBefore();
+ if (notBefore != null)
+ {
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(),
notBefore.toString());
+ }
+
+ XMLGregorianCalendar notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
+ if (notOnOrAfter != null)
+ {
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(),
notOnOrAfter.toString());
+ }
+
+ String recipient = subjectConfirmationData.getRecipient();
+ if (StringUtil.isNotNull(recipient))
+ {
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.RECIPIENT.get(), recipient);
+ }
+
+ String address = subjectConfirmationData.getAddress();
+ if (StringUtil.isNotNull(address))
+ {
+ StaxUtil.writeAttribute(writer, JBossSAMLConstants.ADDRESS.get(), address);
+ }
+
+ if (subjectConfirmationData instanceof KeyInfoConfirmationDataType)
+ {
+ KeyInfoConfirmationDataType kicd = (KeyInfoConfirmationDataType)
subjectConfirmationData;
+ KeyInfoType keyInfo = (KeyInfoType) kicd.getAnyType();
+ if (keyInfo.getContent() == null || keyInfo.getContent().size() == 0)
+ throw new ProcessingException("Invalid KeyInfo object: content cannot be
empty");
+ StaxUtil.writeStartElement(this.writer, WSTrustConstants.XMLDSig.DSIG_PREFIX,
+ WSTrustConstants.XMLDSig.KEYINFO, WSTrustConstants.XMLDSig.DSIG_NS);
+ StaxUtil.writeNameSpace(this.writer, WSTrustConstants.XMLDSig.DSIG_PREFIX,
WSTrustConstants.XMLDSig.DSIG_NS);
+ // write the keyInfo content.
+ Object content = keyInfo.getContent().get(0);
+ if (content instanceof Element)
+ {
+ Element element = (Element) keyInfo.getContent().get(0);
+ StaxUtil.writeDOMNode(this.writer, element);
+ }
+ else if (content instanceof X509DataType)
+ {
+ X509DataType type = (X509DataType) content;
+ if (type.getDataObjects().size() == 0)
+ throw new ProcessingException("X509Data cannot be empy");
+ StaxUtil.writeStartElement(this.writer,
WSTrustConstants.XMLDSig.DSIG_PREFIX,
+ WSTrustConstants.XMLDSig.X509DATA, WSTrustConstants.XMLDSig.DSIG_NS);
+ Object obj = type.getDataObjects().get(0);
+ if (obj instanceof Element)
+ {
+ Element element = (Element) obj;
+ StaxUtil.writeDOMElement(this.writer, element);
+ }
+ else if (obj instanceof X509CertificateType)
+ {
+ X509CertificateType cert = (X509CertificateType) obj;
+ StaxUtil.writeStartElement(this.writer,
WSTrustConstants.XMLDSig.DSIG_PREFIX,
+ WSTrustConstants.XMLDSig.X509CERT,
WSTrustConstants.XMLDSig.DSIG_NS);
+ StaxUtil.writeCharacters(this.writer, new
String(cert.getEncodedCertificate()));
+ StaxUtil.writeEndElement(this.writer);
+ }
+ StaxUtil.writeEndElement(this.writer);
+ }
+ StaxUtil.writeEndElement(this.writer);
+ }
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+
+ public void write(SAML11NameIdentifierType nameid) throws ProcessingException
+ {
+ StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
SAML11Constants.NAME_IDENTIFIER,
+ SAML11Constants.ASSERTION_11_NSURI);
+
+ URI format = nameid.getFormat();
+ if (format != null)
+ {
+ StaxUtil.writeAttribute(writer, SAML11Constants.FORMAT, format.toString());
+ }
+ String nameQualifier = nameid.getNameQualifier();
+ if (StringUtil.isNotNull(nameQualifier))
+ {
+ StaxUtil.writeAttribute(writer, SAML11Constants.NAME_QUALIFIER, nameQualifier);
+ }
+
+ StaxUtil.writeCharacters(writer, nameid.getValue());
+
+ StaxUtil.writeEndElement(writer);
+ StaxUtil.flush(writer);
+ }
+}
\ No newline at end of file
Added:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML11TokenProvider.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML11TokenProvider.java
(rev 0)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML11TokenProvider.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -0,0 +1,438 @@
+/*
+ * JBoss, Home of Professional Open Source. Copyright 2009, Red Hat Middleware LLC, and
individual contributors as
+ * indicated by the @author tags. See the copyright.txt file in the distribution for a
full listing of individual
+ * contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the terms of the
GNU Lesser General Public
+ * License as published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any
+ * later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied
+ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License along with
this software; if not, write to
+ * the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA, or see the FSF site:
+ * http://www.fsf.org.
+ */
+package org.picketlink.identity.federation.core.wstrust.plugins.saml;
+
+import java.net.URI;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+
+import org.apache.log4j.Logger;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.interfaces.ProtocolContext;
+import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider;
+import org.picketlink.identity.federation.core.saml.v1.SAML11Constants;
+import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
+import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
+import org.picketlink.identity.federation.core.saml.v2.factories.SAMLAssertionFactory;
+import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
+import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
+import org.picketlink.identity.federation.core.sts.AbstractSecurityTokenProvider;
+import org.picketlink.identity.federation.core.wstrust.SecurityToken;
+import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken;
+import org.picketlink.identity.federation.core.wstrust.WSTrustConstants;
+import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext;
+import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
+import org.picketlink.identity.federation.core.wstrust.wrappers.Lifetime;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
+import
org.picketlink.identity.federation.saml.v1.assertion.SAML11AudienceRestrictionCondition;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11ConditionsType;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11StatementAbstractType;
+import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.KeyInfoConfirmationDataType;
+import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationType;
+import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
+import org.picketlink.identity.federation.ws.policy.AppliesTo;
+import org.picketlink.identity.federation.ws.trust.RequestedReferenceType;
+import org.picketlink.identity.federation.ws.trust.StatusType;
+import org.picketlink.identity.federation.ws.wss.secext.KeyIdentifierType;
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * A {@code SecurityTokenProvider} implementation that handles WS-Trust SAML 2.0 token
requests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
+ */
+public class SAML11TokenProvider extends AbstractSecurityTokenProvider implements
SecurityTokenProvider
+{
+ protected static Logger logger = Logger.getLogger(SAML11TokenProvider.class);
+
+ private SAML20TokenAttributeProvider attributeProvider;
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#initialize(java.util.Map)
+ */
+ public void initialize(Map<String, String> properties)
+ {
+ super.initialize(properties);
+
+ // Check if an attribute provider has been set.
+ String attributeProviderClassName = this.properties.get(ATTRIBUTE_PROVIDER);
+ if (attributeProviderClassName == null)
+ {
+ if (logger.isDebugEnabled())
+ logger.debug("No attribute provider set");
+ }
+ else
+ {
+ try
+ {
+ Object object =
SecurityActions.instantiateClass(attributeProviderClassName);
+ if (object instanceof SAML20TokenAttributeProvider)
+ {
+ this.attributeProvider = (SAML20TokenAttributeProvider) object;
+ this.attributeProvider.setProperties(this.properties);
+ }
+ else
+ logger.warn("Attribute provider not installed: " +
attributeProviderClassName
+ + "is not an instance of SAML20TokenAttributeProvider");
+ }
+ catch (PrivilegedActionException pae)
+ {
+ logger.warn("Error instantiating attribute provider: " +
pae.getMessage());
+ pae.printStackTrace();
+ }
+ }
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#
+ * cancelToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext)
+ */
+ public void cancelToken(ProtocolContext protoContext) throws ProcessingException
+ {
+ if (!(protoContext instanceof WSTrustRequestContext))
+ return;
+
+ WSTrustRequestContext context = (WSTrustRequestContext) protoContext;
+
+ // get the assertion that must be canceled.
+ Element token = context.getRequestSecurityToken().getCancelTargetElement();
+ if (token == null)
+ throw new ProcessingException("Invalid cancel request: missing required
CancelTarget");
+ Element assertionElement = (Element) token.getFirstChild();
+ if (!this.isAssertion(assertionElement))
+ throw new ProcessingException("CancelTarget doesn't not contain a
SAMLV2.0 assertion");
+
+ // get the assertion ID and add it to the canceled assertions set.
+ String assertionId = assertionElement.getAttribute("ID");
+ this.revocationRegistry.revokeToken(SAMLUtil.SAML11_TOKEN_TYPE, assertionId);
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#
+ * issueToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext)
+ */
+ public void issueToken(ProtocolContext protoContext) throws ProcessingException
+ {
+ if (!(protoContext instanceof WSTrustRequestContext))
+ return;
+
+ WSTrustRequestContext context = (WSTrustRequestContext) protoContext;
+ // generate an id for the new assertion.
+ String assertionID = IDGenerator.create("ID_");
+
+ // lifetime and audience restrictions.
+ Lifetime lifetime = context.getRequestSecurityToken().getLifetime();
+ SAML11AudienceRestrictionCondition restriction = null;
+ AppliesTo appliesTo = context.getRequestSecurityToken().getAppliesTo();
+ if (appliesTo != null)
+ {
+ restriction = new SAML11AudienceRestrictionCondition();
+ restriction.add(URI.create(WSTrustUtil.parseAppliesTo(appliesTo)));
+ }
+ SAML11ConditionsType conditions = new SAML11ConditionsType();
+ conditions.setNotBefore(lifetime.getCreated());
+ conditions.setNotOnOrAfter(lifetime.getExpires());
+ conditions.add(restriction);
+
+ // the assertion principal (default is caller principal)
+ Principal principal = context.getCallerPrincipal();
+
+ String confirmationMethod = null;
+ KeyInfoConfirmationDataType keyInfoDataType = null;
+ // if there is a on-behalf-of principal, we have the sender vouches confirmation
method.
+ if (context.getOnBehalfOfPrincipal() != null)
+ {
+ principal = context.getOnBehalfOfPrincipal();
+ confirmationMethod = SAMLUtil.SAML11_SENDER_VOUCHES_URI;
+ }
+ // if there is a proof-of-possession token in the context, we have the holder of
key confirmation method.
+ else if (context.getProofTokenInfo() != null)
+ {
+ confirmationMethod = SAMLUtil.SAML11_HOLDER_OF_KEY_URI;
+ keyInfoDataType =
SAMLAssertionFactory.createKeyInfoConfirmation(context.getProofTokenInfo());
+ }
+ else
+ confirmationMethod = SAMLUtil.SAML11_BEARER_URI;
+
+ SubjectConfirmationType subjectConfirmation =
SAMLAssertionFactory.createSubjectConfirmation(null,
+ confirmationMethod, keyInfoDataType);
+
+ // create a subject using the caller principal or on-behalf-of principal.
+ String subjectName = principal == null ? "ANONYMOUS" :
principal.getName();
+ NameIDType nameID = SAMLAssertionFactory.createNameID(null,
"urn:picketlink:identity-federation", subjectName);
+ SubjectType subject = SAMLAssertionFactory.createSubject(nameID,
subjectConfirmation);
+
+ // create the attribute statements if necessary.
+ List<StatementAbstractType> statements = null;
+ Map<String, Object> claimedAttributes = context.getClaimedAttributes();
+ if (claimedAttributes != null)
+ {
+ statements = new ArrayList<StatementAbstractType>();
+ statements.add(StatementUtil.createAttributeStatement(claimedAttributes));
+ }
+ /*
+ // create the SAML assertion.
+ NameIDType issuerID = SAMLAssertionFactory.createNameID(null, null,
context.getTokenIssuer());
+ AssertionType assertion = SAMLAssertionFactory.createAssertion(assertionID,
issuerID, lifetime.getCreated(),
+ conditions, subject, statements);
+
+ if (this.attributeProvider != null)
+ {
+ AttributeStatementType attributeStatement =
this.attributeProvider.getAttributeStatement();
+ if (attributeStatement != null)
+ {
+ assertion.addStatement(attributeStatement);
+ }
+ }
+
+ // convert the constructed assertion to element.
+ Element assertionElement = null;
+ try
+ {
+ assertionElement = SAMLUtil.toElement(assertion);
+ }
+ catch (Exception e)
+ {
+ throw new ProcessingException("Failed to marshall SAMLV2
assertion", e);
+ }
+
+ SecurityToken token = new
StandardSecurityToken(context.getRequestSecurityToken().getTokenType().toString(),
+ assertionElement, assertionID);
+ context.setSecurityToken(token);
+
+ // set the SAML assertion attached reference.
+ KeyIdentifierType keyIdentifier =
WSTrustUtil.createKeyIdentifier(SAMLUtil.SAML11_VALUE_TYPE, "#" + assertionID);
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(new QName(WSTrustConstants.WSSE11_NS, "TokenType",
WSTrustConstants.WSSE.PREFIX_11),
+ SAMLUtil.SAML11_TOKEN_TYPE);
+ RequestedReferenceType attachedReference =
WSTrustUtil.createRequestedReference(keyIdentifier, attributes);
+ context.setAttachedReference(attachedReference);*/
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#
+ * renewToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext)
+ */
+ public void renewToken(ProtocolContext protoContext) throws ProcessingException
+ {
+ if (!(protoContext instanceof WSTrustRequestContext))
+ return;
+
+ WSTrustRequestContext context = (WSTrustRequestContext) protoContext;
+ // get the specified assertion that must be renewed.
+ Element token = context.getRequestSecurityToken().getRenewTargetElement();
+ if (token == null)
+ throw new ProcessingException("Invalid renew request: missing required
RenewTarget");
+ Element oldAssertionElement = (Element) token.getFirstChild();
+ if (!this.isAssertion(oldAssertionElement))
+ throw new ProcessingException("RenewTarget doesn't not contain a
SAMLV1.1 assertion");
+
+ // get the JAXB representation of the old assertion.
+ SAML11AssertionType oldAssertion = null;
+ try
+ {
+ oldAssertion = SAMLUtil.saml11FromElement(oldAssertionElement);
+ }
+ catch (Exception je)
+ {
+ throw new ProcessingException("Error unmarshalling assertion", je);
+ }
+
+ // canceled assertions cannot be renewed.
+ if (this.revocationRegistry.isRevoked(SAMLUtil.SAML11_TOKEN_TYPE,
oldAssertion.getID()))
+ throw new ProcessingException("Assertion with id " +
oldAssertion.getID()
+ + " has been canceled and cannot be renewed");
+
+ // adjust the lifetime for the renewed assertion.
+ SAML11ConditionsType conditions = oldAssertion.getConditions();
+
conditions.setNotBefore(context.getRequestSecurityToken().getLifetime().getCreated());
+
conditions.setNotOnOrAfter(context.getRequestSecurityToken().getLifetime().getExpires());
+
+ // create a new unique ID for the renewed assertion.
+ String assertionID = IDGenerator.create("ID_");
+
+ List<SAML11StatementAbstractType> statements = new
ArrayList<SAML11StatementAbstractType>();
+ statements.addAll(oldAssertion.getStatements());
+
+ // create the new assertion.
+ XMLGregorianCalendar created =
context.getRequestSecurityToken().getLifetime().getCreated();
+
+ SAML11AssertionType newAssertion = AssertionUtil.createSAML11Assertion(assertionID,
created,
+ oldAssertion.getIssuer());
+ newAssertion.addAllStatements(oldAssertion.getStatements());
+
+ // create a security token with the new assertion.
+ Element assertionElement = null;
+ try
+ {
+ assertionElement = SAMLUtil.toElement(newAssertion);
+ }
+ catch (Exception e)
+ {
+ throw new ProcessingException("Failed to marshall SAMLV2 assertion",
e);
+ }
+ SecurityToken securityToken = new
StandardSecurityToken(context.getRequestSecurityToken().getTokenType()
+ .toString(), assertionElement, assertionID);
+ context.setSecurityToken(securityToken);
+
+ // set the SAML assertion attached reference.
+ KeyIdentifierType keyIdentifier =
WSTrustUtil.createKeyIdentifier(SAMLUtil.SAML11_VALUE_TYPE, "#" + assertionID);
+ Map<QName, String> attributes = new HashMap<QName, String>();
+ attributes.put(new QName(WSTrustConstants.WSSE11_NS, "TokenType"),
SAMLUtil.SAML11_TOKEN_TYPE);
+ RequestedReferenceType attachedReference =
WSTrustUtil.createRequestedReference(keyIdentifier, attributes);
+ context.setAttachedReference(attachedReference);
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#
+ *
validateToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext)
+ */
+ public void validateToken(ProtocolContext protoContext) throws ProcessingException
+ {
+ if (!(protoContext instanceof WSTrustRequestContext))
+ return;
+
+ WSTrustRequestContext context = (WSTrustRequestContext) protoContext;
+ if (logger.isTraceEnabled())
+ logger.trace("SAML V2.0 token validation started");
+
+ // get the SAML assertion that must be validated.
+ Element token = context.getRequestSecurityToken().getValidateTargetElement();
+ if (token == null)
+ throw new ProcessingException("Bad validate request: missing required
ValidateTarget");
+
+ String code = WSTrustConstants.STATUS_CODE_VALID;
+ String reason = "SAMLV2.0 Assertion successfuly validated";
+
+ AssertionType assertion = null;
+ Element assertionElement = (Element) token.getFirstChild();
+ if (!this.isAssertion(assertionElement))
+ {
+ code = WSTrustConstants.STATUS_CODE_INVALID;
+ reason = "Validation failure: supplied token is not a SAMLV2.0
Assertion";
+ }
+ else
+ {
+ try
+ {
+ assertion = SAMLUtil.fromElement(assertionElement);
+ }
+ catch (Exception e)
+ {
+ throw new ProcessingException("Unmarshalling error:", e);
+ }
+ }
+
+ // check if the assertion has been canceled before.
+ if (this.revocationRegistry.isRevoked(SAMLUtil.SAML11_TOKEN_TYPE,
assertion.getID()))
+ {
+ code = WSTrustConstants.STATUS_CODE_INVALID;
+ reason = "Validation failure: assertion with id " + assertion.getID()
+ " has been canceled";
+ }
+
+ // check the assertion lifetime.
+ try
+ {
+ if (AssertionUtil.hasExpired(assertion))
+ {
+ code = WSTrustConstants.STATUS_CODE_INVALID;
+ reason = "Validation failure: assertion expired or used before its
lifetime period";
+ }
+ }
+ catch (Exception ce)
+ {
+ code = WSTrustConstants.STATUS_CODE_INVALID;
+ reason = "Validation failure: unable to verify assertion lifetime: " +
ce.getMessage();
+ }
+
+ // construct the status and set it on the request context.
+ StatusType status = new StatusType();
+ status.setCode(code);
+ status.setReason(reason);
+ context.setStatus(status);
+ }
+
+ /**
+ * <p>
+ * Checks whether the specified element is a SAMLV2.0 assertion or not.
+ * </p>
+ *
+ * @param element
+ * the {@code Element} being verified.
+ * @return {@code true} if the element is a SAMLV2.0 assertion; {@code false}
otherwise.
+ */
+ private boolean isAssertion(Element element)
+ {
+ return element == null ? false :
"Assertion".equals(element.getLocalName())
+ &&
SAML11Constants.ASSERTION_11_NSURI.equals(element.getNamespaceURI());
+ }
+
+ /**
+ * @see {@code SecurityTokenProvider#supports(String)}
+ */
+ public boolean supports(String namespace)
+ {
+ return WSTrustConstants.BASE_NAMESPACE.equals(namespace);
+ }
+
+ /**
+ * @see
org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#tokenType()
+ */
+ public String tokenType()
+ {
+ return SAMLUtil.SAML11_TOKEN_TYPE;
+ }
+
+ /**
+ * @see
org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#getSupportedQName()
+ */
+ public QName getSupportedQName()
+ {
+ return new QName(tokenType(), JBossSAMLConstants.ASSERTION.get());
+ }
+
+ /**
+ * @see
org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider#family()
+ */
+ public String family()
+ {
+ return SecurityTokenProvider.FAMILY_TYPE.WS_TRUST.toString();
+ }
+}
\ No newline at end of file
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAMLUtil.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAMLUtil.java 2011-06-24
19:10:12 UTC (rev 1034)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAMLUtil.java 2011-06-24
21:56:04 UTC (rev 1035)
@@ -23,14 +23,17 @@
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
+import java.security.GeneralSecurityException;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
+import org.picketlink.identity.federation.core.saml.v2.writers.SAML11AssertionWriter;
import org.picketlink.identity.federation.core.saml.v2.writers.SAMLAssertionWriter;
import org.picketlink.identity.federation.core.util.StaxUtil;
+import org.picketlink.identity.federation.saml.v1.assertion.SAML11AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -45,12 +48,22 @@
public class SAMLUtil
{
+ public static final String SAML11_BEARER_URI =
"urn:oasis:names:tc:SAML:1.0:cm:bearer";
+
+ public static final String SAML11_HOLDER_OF_KEY_URI =
"urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
+
+ public static final String SAML11_SENDER_VOUCHES_URI =
"urn:oasis:names:tc:SAML:1.0:cm:sender-vouches";
+
public static final String SAML2_BEARER_URI =
"urn:oasis:names:tc:SAML:2.0:cm:bearer";
public static final String SAML2_HOLDER_OF_KEY_URI =
"urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
public static final String SAML2_SENDER_VOUCHES_URI =
"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches";
+ public static final String SAML11_TOKEN_TYPE =
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
+
+ public static final String SAML11_VALUE_TYPE =
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";
+
public static final String SAML2_TOKEN_TYPE =
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
public static final String SAML2_VALUE_TYPE =
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";
@@ -80,6 +93,29 @@
/**
* <p>
+ * Utility method that marshals the specified {@code AssertionType} object into an
{@code Element} instance.
+ * </p>
+ *
+ * @param assertion
+ * an {@code AssertionType} object representing the SAML assertion to be
marshaled.
+ * @return a reference to the {@code Element} that contains the marshaled SAML
assertion.
+ * @throws Exception
+ * if an error occurs while marshaling the assertion.
+ */
+ public static Element toElement(SAML11AssertionType assertion) throws Exception
+ {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ SAML11AssertionWriter writer = new
SAML11AssertionWriter(StaxUtil.getXMLStreamWriter(baos));
+ writer.write(assertion);
+
+ ByteArrayInputStream bis = new ByteArrayInputStream(baos.toByteArray());
+ Document document = DocumentUtil.getDocument(bis);
+
+ return document.getDocumentElement();
+ }
+
+ /**
+ * <p>
* Utility method that unmarshals the specified {@code Element} into an {@code
AssertionType} instance.
* </p>
*
@@ -97,4 +133,16 @@
AssertionType assertion = (AssertionType)
samlParser.parse(DocumentUtil.getNodeAsStream(assertionElement));
return assertion;
}
-}
+
+ /**
+ * Given a {@link Element} that represents a SAML 1.1 assertion, convert it into a
{@link SAML11AssertionType}
+ * @param assertionElement
+ * @return
+ * @throws GeneralSecurityException
+ */
+ public static SAML11AssertionType saml11FromElement(Element assertionElement) throws
GeneralSecurityException
+ {
+ SAMLParser samlParser = new SAMLParser();
+ return (SAML11AssertionType)
samlParser.parse(DocumentUtil.getNodeAsStream(assertionElement));
+ }
+}
\ No newline at end of file
4929
days inactive
4929
days old
picketlink-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
picketlink-commits@lists.jboss.org