[jboss-cvs] Picketlink SVN: r625 - in federation/trunk: picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response and 3 other directories.

[jboss-cvs-commits at lists.jboss.org]

Author: anil.saldhana at jboss.com
Date: 2011-01-03 16:12:33 -0500 (Mon, 03 Jan 2011)
New Revision: 625

Modified:
   federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
   federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java
   federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java
   federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
   federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
   federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java
Log:
renew token with second SP

Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java	2011-01-03 21:12:06 UTC (rev 624)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java	2011-01-03 21:12:33 UTC (rev 625)
@@ -384,6 +384,8 @@
                            HANDLER_TYPE.IDP);
                   saml2HandlerRequest.setRelayState(relayState);
                   
+                  String assertionID = (String) session.getSession().getAttribute( GeneralConstants.ASSERTION_ID );
+                  
                   //Set the options on the handler request
                   Map<String, Object> requestOptions = new HashMap<String, Object>();
                   if(this.ignoreIncomingSignatures)
@@ -391,6 +393,8 @@
                   requestOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
                   requestOptions.put(GeneralConstants.ASSERTIONS_VALIDITY, this.assertionValidity);
                   requestOptions.put(GeneralConstants.CONFIGURATION, this.idpConfiguration);
+                  if( assertionID != null )
+                     requestOptions.put(GeneralConstants.ASSERTION_ID, assertionID );
                   
                   if(this.keyManager != null)
                   {

Modified: federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java
===================================================================
--- federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java	2011-01-03 21:12:06 UTC (rev 624)
+++ federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/response/SAML2Response.java	2011-01-03 21:12:33 UTC (rev 625)
@@ -187,10 +187,19 @@
       SAMLProtocolContext samlProtocolContext = new SAMLProtocolContext();
       samlProtocolContext.setSubjectType( subjectType );
       samlProtocolContext.setIssuerID(nameIDType); 
-      sts.issueToken( samlProtocolContext );
       
-      AssertionType assertionType = samlProtocolContext.getIssuedAssertion();
+      AssertionType assertionType = idp.getAssertion();
+      if( assertionType != null )
+      {
+         samlProtocolContext.setIssuedAssertion(assertionType);
+         //renew it
+         sts.renewToken( samlProtocolContext ); 
+      }
+      else
+         sts.issueToken( samlProtocolContext );
       
+      assertionType = samlProtocolContext.getIssuedAssertion();
+      
       /*AssertionType assertionType = SAMLAssertionFactory.createAssertion(id, 
             nameIDType , issueInstant, (ConditionsType) null, subjectType, (List<StatementAbstractType>)null );
       */

Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java	2011-01-03 21:12:06 UTC (rev 624)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/holders/IDPInfoHolder.java	2011-01-03 21:12:33 UTC (rev 625)
@@ -22,6 +22,8 @@
 package org.picketlink.identity.federation.core.saml.v2.holders;
 
 import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
  
 
 /**
@@ -36,6 +38,8 @@
    private String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get();
    private String nameIDFormatValue;
    
+   private AssertionType assertion;
+   
    private int assertionValidityDuration = 5; //5 Minutes 
    
    public int getAssertionValidityDuration()
@@ -76,5 +80,21 @@
    public void setNameIDFormatValue(String nameIDFormatValue)
    {
       this.nameIDFormatValue = nameIDFormatValue;
-   } 
+   }
+
+   public AssertionType getAssertion()
+   {
+      SecurityManager sm = System.getSecurityManager();
+      if( sm != null )
+         sm.checkPermission( PicketLinkCoreSTS.rte );
+      return assertion;
+   }
+
+   public void setAssertion(AssertionType assertion)
+   {
+      SecurityManager sm = System.getSecurityManager();
+      if( sm != null )
+         sm.checkPermission( PicketLinkCoreSTS.rte );
+      this.assertion = assertion;
+   }  
 }
\ No newline at end of file

Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java	2011-01-03 21:12:06 UTC (rev 624)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java	2011-01-03 21:12:33 UTC (rev 625)
@@ -29,6 +29,8 @@
 public interface GeneralConstants
 {
    String ASSERTIONS_VALIDITY = "ASSERTIONS_VALIDITY";
+   String ASSERTION_ID = "ASSERTION_ID";
+   String ASSERTION = "ASSERTION";
    
    String ATTRIBUTES = "ATTRIBUTES";
    String ATTRIBUTE_KEYS = "ATTRIBUTE_KEYS";

Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java	2011-01-03 21:12:06 UTC (rev 624)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java	2011-01-03 21:12:33 UTC (rev 625)
@@ -50,11 +50,11 @@
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
-import org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType.STSubType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AttributeType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.EncryptedAssertionType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.NameIDType;
 import org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.SubjectType.STSubType;
 import org.picketlink.identity.federation.newmodel.saml.v2.protocol.AuthnRequestType;
 import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType;
 import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType.RTChoiceType;
@@ -142,7 +142,6 @@
       {  
       }
       
-      @SuppressWarnings("unchecked")
       public void handleRequestType( SAML2HandlerRequest request, 
             SAML2HandlerResponse response ) throws ProcessingException
       { 
@@ -150,22 +149,29 @@
          ServletContext servletContext = httpContext.getServletContext();
          
          AuthnRequestType art = (AuthnRequestType) request.getSAML2Object();
+         if( art == null )
+            throw new ProcessingException( "AuthnRequest is null" );
+         
+         String destination = art.getAssertionConsumerServiceURL().toASCIIString();
+         
          HttpSession session = BaseSAML2Handler.getHttpSession(request);
          Principal userPrincipal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
          if(userPrincipal == null)
             userPrincipal = httpContext.getRequest().getUserPrincipal();
-         
-         List<String> roles = (List<String>) session.getAttribute(GeneralConstants.ROLES_ID);
+         /*
+         List<String> roles = (List<String>) session.getAttribute(GeneralConstants.ROLES_ID);*/
          try
          {
-            Map<String,Object> attribs = (Map<String, Object>) request.getOptions().get(GeneralConstants.ATTRIBUTES);
+            /*Map<String,Object> attribs = (Map<String, Object>) request.getOptions().get(GeneralConstants.ATTRIBUTES);
             long assertionValidity = (Long) request.getOptions().get(GeneralConstants.ASSERTIONS_VALIDITY);
             String destination = art.getAssertionConsumerServiceURL().toASCIIString();
             Document samlResponse = this.getResponse(destination,
                   userPrincipal, roles, request.getIssuer().getValue(),
                   attribs,
-                  assertionValidity, art.getID());
+                  assertionValidity, art.getID());*/
             
+            Document samlResponse = this.getResponse(request);
+            
             //Update the Identity Server
             boolean isPost = httpContext.getRequest().getMethod().equalsIgnoreCase( "POST" );
             IdentityServer identityServer = (IdentityServer) servletContext.getAttribute(GeneralConstants.IDENTITY_SERVER);
@@ -183,6 +189,105 @@
          }
       }
       
+      @SuppressWarnings("unchecked")
+      public Document getResponse( SAML2HandlerRequest request ) throws ConfigurationException, ProcessingException
+      {
+         HTTPContext httpContext = (HTTPContext) request.getContext();
+         AuthnRequestType art = (AuthnRequestType) request.getSAML2Object();
+         HttpSession session = BaseSAML2Handler.getHttpSession(request);
+         Principal userPrincipal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
+         if(userPrincipal == null)
+            userPrincipal = httpContext.getRequest().getUserPrincipal(); 
+         
+         String assertionConsumerURL = art.getAssertionConsumerServiceURL().toASCIIString(); 
+         List<String> roles = (List<String>) session.getAttribute(GeneralConstants.ROLES_ID); 
+         String identityURL = request.getIssuer().getValue();
+         Map<String, Object> attribs = (Map<String, Object>) request.getOptions().get(GeneralConstants.ATTRIBUTES); 
+         long assertionValidity = (Long) request.getOptions().get(GeneralConstants.ASSERTIONS_VALIDITY);
+         String requestID = art.getID();
+          
+         Document samlResponseDocument = null;
+         
+         if(trace) 
+            log.trace("AssertionConsumerURL=" + assertionConsumerURL + 
+               "::assertion validity=" + assertionValidity);
+         ResponseType responseType = null;     
+         
+         SAML2Response saml2Response = new SAML2Response();
+               
+         //Create a response type
+         String id = IDGenerator.create("ID_");
+          
+         IssuerInfoHolder issuerHolder = new IssuerInfoHolder(identityURL); 
+         issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
+
+         IDPInfoHolder idp = new IDPInfoHolder();
+         idp.setNameIDFormatValue(userPrincipal.getName());
+         idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
+         
+         String assertionID = (String) session.getAttribute( GeneralConstants.ASSERTION_ID );
+          
+         if( assertionID != null )
+         {
+            //Just renew the assertion
+            AssertionType latestAssertion = (AssertionType) session.getAttribute( GeneralConstants.ASSERTION );
+            if( latestAssertion != null )
+               idp.setAssertion( latestAssertion );
+         }
+
+         SPInfoHolder sp = new SPInfoHolder();
+         sp.setResponseDestinationURI(assertionConsumerURL);
+         sp.setRequestID(requestID);
+         responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
+         
+         //Add information on the roles
+         AssertionType assertion = (AssertionType) responseType.getAssertions().get(0).getAssertion();
+
+         AttributeStatementType attrStatement = StatementUtil.createAttributeStatement(roles);
+         assertion.addStatement( attrStatement );
+         
+         /*//Add timed conditions
+         saml2Response.createTimedConditions(assertion, assertionValidity);*/
+
+         //Add in the attributes information
+         if(attribs != null && attribs.size() > 0 )
+         {
+            AttributeStatementType attStatement = StatementUtil.createAttributeStatement(attribs);
+            assertion.addStatement( attStatement );
+         } 
+         
+         //Add assertion to the session
+         session.setAttribute( GeneralConstants.ASSERTION, assertion );
+    
+         //Lets see how the response looks like 
+         if(log.isTraceEnabled())
+         {
+            StringWriter sw = new StringWriter();
+            try
+            {
+               saml2Response.marshall(responseType, sw);
+            }
+            catch ( ProcessingException e)
+            {
+               log.trace(e);
+            } 
+            log.trace("Response="+sw.toString()); 
+         }
+         try
+         {
+            samlResponseDocument = saml2Response.convert(responseType);
+         }
+         catch (Exception e)
+         {
+            e.printStackTrace();
+            if(trace)
+               log.trace(e); 
+         } 
+         return samlResponseDocument; 
+      }
+      
+      @SuppressWarnings("unused")
+      @Deprecated
       public Document getResponse( String assertionConsumerURL,
             Principal userPrincipal,
             List<String> roles, 

Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java	2011-01-03 21:12:06 UTC (rev 624)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java	2011-01-03 21:12:33 UTC (rev 625)
@@ -35,6 +35,7 @@
 import org.picketlink.identity.federation.core.exceptions.ParsingException;
 import org.picketlink.identity.federation.core.exceptions.ProcessingException;
 import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
+import org.picketlink.identity.federation.core.saml.v2.common.SAMLProtocolContext;
 import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
 import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
@@ -42,6 +43,8 @@
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE;
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
 import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil; 
+import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.picketlink.identity.federation.newmodel.saml.v2.assertion.AssertionType;
 import org.picketlink.identity.federation.newmodel.saml.v2.protocol.LogoutRequestType;
 import org.picketlink.identity.federation.newmodel.saml.v2.protocol.ResponseType;
 import org.picketlink.identity.federation.newmodel.saml.v2.protocol.StatusCodeType;
@@ -172,7 +175,16 @@
          String nextParticipant = this.getParticipant(server, sessionID, relayState);
          if(nextParticipant == null || nextParticipant.equals(relayState))
          {
-            //we are done with logout
+            //we are done with logout - First ask STS to cancel the token
+            AssertionType assertion = (AssertionType) httpSession.getAttribute( GeneralConstants.ASSERTION );
+            if( assertion != null )
+            {
+               PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
+               SAMLProtocolContext samlProtocolContext = new SAMLProtocolContext(); 
+               samlProtocolContext.setIssuedAssertion( assertion );
+               sts.cancelToken(samlProtocolContext); 
+               httpSession.removeAttribute( GeneralConstants.ASSERTION );
+            }
             
             //TODO: check the in transit map for partial logouts