Author: anil.saldhana(a)jboss.com
Date: 2012-03-12 10:26:40 -0400 (Mon, 12 Mar 2012)
New Revision: 1494
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
Log:
PLFED-271: idp can have a strict post binding
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-03-09
09:41:41 UTC (rev 1493)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2012-03-12
14:26:40 UTC (rev 1494)
@@ -189,6 +189,13 @@
* A Lock for Handler operations in the chain
*/
private final Lock chainLock = new ReentrantLock();
+
+ /**
+ * SAML Web Browser SSO Profile has a requirement that the IDP does not respond
+ * back in Redirect Binding. Set this to true if you want the IDP to adhere to
+ * this requirement via
+ */
+ private boolean strictPostBinding = false;
//Set a list of attributes we are interested in separated by comma
public void setAttributeList(String attribList)
@@ -217,6 +224,11 @@
}
}
+ public void setStrictPostBinding(Boolean strictPostBinding)
+ {
+ this.strictPostBinding = strictPostBinding;
+ }
+
public Boolean getIgnoreIncomingSignatures()
{
return ignoreIncomingSignatures;
@@ -360,10 +372,10 @@
if (this.signOutgoingMessages)
{
holder.setSupportSignature(true).setPrivateKey(keyManager.getSigningKey());
- webRequestUtil.send(holder);
- //webRequestUtil.send(samlErrorResponse, referer, relayState, response,
true,
- //this.keyManager.getSigningKey(), false);
}
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (GeneralSecurityException e)
@@ -650,6 +662,9 @@
holder.setResponseDoc(samlResponse).setDestination(destination).setRelayState(relayState)
.setAreWeSendingRequest(willSendRequest).setPrivateKey(null).setSupportSignature(false)
.setServletResponse(response);
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
if (requestedPostProfile != null)
holder.setPostBindingRequested(requestedPostProfile);
@@ -661,6 +676,8 @@
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e)
@@ -840,6 +857,9 @@
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e)
@@ -922,6 +942,9 @@
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
}
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e1)
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-03-09
09:41:41 UTC (rev 1493)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2012-03-12
14:26:40 UTC (rev 1494)
@@ -80,6 +80,22 @@
protected static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
protected boolean jbossEnv = false;
+
+ /**
+ * The SAML Web Browser SSO Profile says that the IDP cannot send
+ * response back in Redirect Binding. The user should use this
+ * parameter to adhere to that requirement.
+ */
+ protected boolean idpPostBinding = false;
+
+ /**
+ * Set the Authenticator to expect a post response from IDP
+ * @param idpPostBinding
+ */
+ public void setIdpPostBinding(Boolean idpPostBinding)
+ {
+ this.idpPostBinding = idpPostBinding;
+ }
public SPRedirectFormAuthenticator()
{
@@ -237,6 +253,8 @@
{
ServiceProviderSAMLResponseProcessor responseProcessor = new
ServiceProviderSAMLResponseProcessor(false,
serviceURL);
+ if(idpPostBinding)
+ responseProcessor.setIdpPostBinding(true);
initializeSAMLProcessor(responseProcessor);
SAML2HandlerResponse saml2HandlerResponse = null;
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-03-09
09:41:41 UTC (rev 1493)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-03-12
14:26:40 UTC (rev 1494)
@@ -93,6 +93,8 @@
String SAML_SIG_ALG_REQUEST_KEY = "SigAlg";
String SAML_SIGNATURE_REQUEST_KEY = "Signature";
+
+ String SAML_IDP_STRICT_POST_BINDING = "SAML_IDP_STRICT_POST_BINDING";
String DECRYPTING_KEY = "DECRYPTING_KEY";
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2012-03-09
09:41:41 UTC (rev 1493)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2012-03-12
14:26:40 UTC (rev 1494)
@@ -67,6 +67,13 @@
public class ServiceProviderSAMLResponseProcessor extends ServiceProviderBaseProcessor
{
private boolean validateSignature = false;
+
+ private boolean idpPostBinding = false;
+
+ public void setIdpPostBinding(boolean idpPostBinding)
+ {
+ this.idpPostBinding = idpPostBinding;
+ }
/**
* Construct
@@ -106,24 +113,22 @@
SAMLDocumentHolder documentHolder = null;
SAML2Object samlObject = null;
- if (this.postBinding)
- {
- //we got a logout request
+ InputStream dataStream = null;
+
+ if (this.postBinding || idpPostBinding )
+ {
//deal with SAML response from IDP
- InputStream is = PostBindingUtil.base64DecodeAsStream(samlResponse);
-
- samlObject = saml2Response.getSAML2ObjectFromStream(is);
- documentHolder = saml2Response.getSamlDocumentHolder();
+ dataStream = PostBindingUtil.base64DecodeAsStream(samlResponse);
}
else
{
//deal with SAML response from IDP
- InputStream base64DecodedResponse =
RedirectBindingUtil.base64DeflateDecode(samlResponse);
-
- samlObject = saml2Response.getSAML2ObjectFromStream(base64DecodedResponse);
- documentHolder = saml2Response.getSamlDocumentHolder();
+ dataStream = RedirectBindingUtil.base64DeflateDecode(samlResponse);
}
+ samlObject = saml2Response.getSAML2ObjectFromStream(dataStream);
+ documentHolder = saml2Response.getSamlDocumentHolder();
+
if (this.validateSignature)
try
{
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2012-03-09
09:41:41 UTC (rev 1493)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2012-03-12
14:26:40 UTC (rev 1494)
@@ -130,7 +130,22 @@
protected transient ServletContext context = null;
protected transient SAML2HandlerChain chain = null;
+
+ //Cater to SAML Web Browser SSO Profile demand that we do not reply in Redirect
Binding
+ private boolean strictPostBinding = false;
+
+ public boolean isStrictPostBinding()
+ {
+ return strictPostBinding;
+ }
+
+ public void setStrictPostBinding(boolean strictPostBinding)
+ {
+ this.strictPostBinding = strictPostBinding;
+ }
+
+
/**
* If the user wants to set a particular {@link IdentityParticipantStack}
*/
@@ -163,6 +178,13 @@
throw new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION, e);
}
}
+
+ String strictPostBindingStr =
config.getInitParameter(GeneralConstants.SAML_IDP_STRICT_POST_BINDING);
+ if(StringUtil.isNotNull(strictPostBindingStr))
+ {
+ strictPostBinding = Boolean.parseBoolean(strictPostBindingStr);
+ }
+
context = config.getServletContext();
if (idpConfiguration == null)
@@ -572,12 +594,10 @@
if (this.signOutgoingMessages)
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
- /*webRequestUtil.send(samlResponse, destination,relayState, response,
true,
- this.keyManager.getSigningKey(), willSendRequest);*/
}
- /*
- else
- webRequestUtil.send(samlResponse, destination, relayState, response,
false,null, willSendRequest);*/
+
+ if(strictPostBinding)
+ holder.setStrictPostBinding(strictPostBinding);
webRequestUtil.send(holder);
}
catch (ParsingException e)
@@ -614,12 +634,10 @@
if (this.signOutgoingMessages)
{
holder.setPrivateKey(keyManager.getSigningKey()).setSupportSignature(true);
- /*webRequestUtil.send(samlResponse, referrer, relayState, response, true,
- this.keyManager.getSigningKey(), false);*/
}
- /* else
- webRequestUtil.send(samlResponse, referrer, relayState, response,
false,null, false);*/
+ if(strictPostBinding)
+ holder.setStrictPostBinding(true);
webRequestUtil.send(holder);
}
catch (ParsingException e1)
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2012-03-09
09:41:41 UTC (rev 1493)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2012-03-12
14:26:40 UTC (rev 1494)
@@ -81,6 +81,7 @@
private final TrustKeyManager keyManager;
+
protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager
keym)
@@ -232,7 +233,7 @@
boolean sendRequest = holder.isAreWeSendingRequest();
HttpServletResponse response = holder.getServletResponse();
- if (holder.isPostBindingRequested() == false)
+ if (holder.isPostBindingRequested() == false &&
!holder.isStrictPostBinding())
{
byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
@@ -432,7 +433,20 @@
private boolean postBindingRequested;
private boolean areWeSendingRequest;
+
+ //Cater to SAML Web Browser SSO Profile demand that we do not reply in Redirect
Binding
+ private boolean strictPostBinding = false;
+
+ public boolean isStrictPostBinding()
+ {
+ return strictPostBinding;
+ }
+ public void setStrictPostBinding(boolean strictPostBinding)
+ {
+ this.strictPostBinding = strictPostBinding;
+ }
+
public Document getResponseDoc()
{
return responseDoc;