/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: FSSSOBrowserArtifactProfileHandler.java,v 1.6 2008/12/19 06:50:46 exu Exp $
*
*/
/*
* Portions Copyrighted 2013 ForgeRock, Inc.
*/
/**
* <code>IDP</code> single sign on service handler handles browser artifact
* profile.
*/
/**
* Sets <code>SOAP</code> message.
* @param msg <code>SOAPMessage</code> object
*/
}
/**
* Sets <code>SAML</code> request element.
* @param root <code>SAML</code> request element
*/
"FSBrowserArtifactConsumerHandler.setSAMLRequestElement: Called");
}
protected FSSSOBrowserArtifactProfileHandler() {
}
/**
* Constructor.
* @param request <code>HttpServletRequest</code> object
* @param response <code>HttpServletResponse</code> object
* @param authnRequest authentication request
* @param spDescriptor <code>SP</code>'s provider descriptor
* @param spConfig <code>SP</code>'s extended meta config
* @param spEntityId <code>SP</code>'s entity id
* @param relayState where to go after single sign on is done
*/
{
}
/**
* Constructor.
* @param request <code>HttpServletRequest</code> object
* @param response <code>HttpServletResponse</code> object
* @param samlRequest <code>Request</code> object that contains artifact
*/
)
{
//this.samlRequest = samlRequest;
}
/**
* Processes authentication request.
* @param authnRequest authentication request
* @param bPostAuthn <code>true</code> indicates it's post authentication;
* <code>false</code> indicates it's pre authentication.
*/
public void processAuthnRequest(
boolean bPostAuthn)
{
"FSSSOBrowserArtifactProfileHandler.processAuthnRequest: Called");
try {
if (bPostAuthn){
if (processPostAuthnSSO(authnRequest)){
"FSSSOBrowserArtifactProfileHandler."
+ "processAuthnRequest: AuthnRequest Processing"
+ "successful");
}
} else {
"FSSSOBrowserArtifactProfileHandler."
+ "processAuthnRequest: AuthnRequest Processing "
+ "failed");
}
};
data,
ssoToken);
}
} else {
boolean authnRequestSigned =
+ "processAuthnRequest: ProviderID : "
+ " AuthnRequestSigned : "
}
if (FSServiceUtils.isSigningOn()){
if (authnRequestSigned){
if (!verifyRequestSignature(authnRequest)){
"FSSSOBrowserArtifactProfileHandler."
+ "processAuthnRequest: "
+ "AuthnRequest Signature Verification Failed");
"signatureVerificationFailed") };
data,
ssoToken);
return;
} else {
"FSSSOBrowserArtifactProfileHandler."
+ "processAuthnRequest: "
+ "AuthnRequest Signature Verified");
}
}
}
}
if (processPreAuthnSSO(authnRequest)){
"FSSSOBrowserArtifactProfileHandler."
+ "processAuthnRequest: AuthnRequest Processing "
+ " successful");
}
} else {
"FSSSOBrowserArtifactProfileHandler."
+ "processAuthnRequest: AuthnRequest Processing "
+ "failed");
}
};
data,
ssoToken);
}
}
} catch(Exception e){
+ "processAuthnRequest: Exception Occured: ", e);
}
}
/**
* Processes request with artifacts.
* @param samlRequest <code>FSSAMLRequest</code> object
* @return <code>FSResponse</code> object
*/
"FSSSOBrowserArtifactProfileHandler.processSAMLRequest: Called");
try {
return createSAMLResponse(samlRequest);
} catch(Exception e){
+ "processSAMLRequest: Fatal error, "
+ "cannot create status or response: ", e);
return null;
}
}
throws FSException
{
"FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
int length;
+ "createSAMLResponse: "
+ "Found element in the request which are not supported");
}
try {
retResponse = new FSResponse(
} catch( SAMLException se ) {
+ "createSAMLResponse: "
+ "Fatal error, cannot create status or response: ", se);
}
} else {
}
return retResponse;
}
try {
} catch(FSException se ) {
+ "createSAMLResponse: Cannot instantiate "
+ "FSAssertionManager");
}
try {
retResponse = new FSResponse(
} catch( SAMLException sse ) {
+ "createSAMLResponse: "
+ "Fatal error, cannot create status or response: ", sse);
}
} else {
}
return retResponse;
}
// ensure that all the artifacts have the same sourceID
for (int j = 0; j < length; j++) {
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Artifacts not from "
+ "the same source");
}
try {
/**
* Need a second level status for the federation
* does not exist.
*/
new StatusCode("samlp:Requester",
new StatusCode(
null)),
null);
new FSResponse(respID,
contents);
} catch( SAMLException ex ) {
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response: ", ex);
}
retResponse.toString() };
data);
} else {
}
return retResponse;
} else { //sourceids are equal
continue;
}
} else {// sourceID == null
}
} // while loop to go through artifacts to check for sourceID
try {
} catch(FSException ex){
+ "createSAMLResponse: FSException Occured while "
+ "retrieving sp's providerID for the artifact: ", ex);
providerID = null;
}
if (providerID == null){
+ "createSAMLResponse: "
+ "artifact received does not correspond to any SP");
try {
/**
* Need a second level status for the federation
* does not exist.
*/
/**
* First, let's check we haven't recorded a status
* beforehand (by another call) related to this
* artifact. If so, use it.
*/
} else {
new StatusCode("samlp:Requester",
new StatusCode(
null)),
null);
}
retResponse = new FSResponse(
return retResponse;
} catch( SAMLException sse ) {
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
return null;
}
//return error response
} else {
try {
if (!metaManager.isTrustedProvider(
{
"FSSSOAndFedHandler.processAuthnRequest: "
+ "RemoteProvider is not trusted");
"AuthnRequestProcessingFailed");
new StatusCode("samlp:Requester"),
null);
retResponse = new FSResponse(
return retResponse;
}
realm, providerID);
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: "
+ "FSAllianceManagementException "
+ "Occured while getting" , ae);
try {
new StatusCode("samlp:Requester"),
null);
retResponse = new FSResponse(
return retResponse;
} catch( SAMLException sse ) {
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
return null;
}
}
}
//Verify signature
if (FSServiceUtils.isSigningOn()){
{
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: "
+ "SAMLRequest signature verification failed");
"signatureVerificationFailed");
try {
new StatusCode("samlp:Requester"),
null);
retResponse = new FSResponse(
return retResponse;
} catch( SAMLException sse ) {
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: "
+ sse.getMessage());
}
} else {
"FSSSOBrowserArtProfileHandler.createSAMLResp:"
+ " SAMLRequest signature verified");
}
}
}
//end signature verification
} else {
+ "createSAMLResponse: No artifact found in samlRequest");
try {
retResponse = new FSResponse(
return retResponse;
} catch( SAMLException sse ) {
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
return null;
}
}
for (int i = 0; i < length; i++) {
try {
} catch(FSException e ) {
"FSSSOBrowserArtifactProfileHandler.createSAML"
+ "Response:could not find matching assertion:", e);
}
message = e.getMessage();
try {
retResponse = new FSResponse(
} catch( SAMLException sse ) {
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
}
} else {
}
return retResponse;
}
}
}
}
}
// check that the target restriction condition
// inside the assertion has the calling host's address in it.
for (int i = 0; i < assertionSize; i++) {
+ "createSAMLResponse: checking to see if assertions"
+ " are for host:" + remoteAddr);
}
while (trcsIterator.hasNext()) {
{
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: removing TRC not"
+ "meant for this host");
}
}
}
}
}
if (assertionSize == 0) {
+ "createSAMLResponse: Matching Assertions(s) not "
+ "created for this host");
}
try {
status =
retResponse = new FSResponse(
} catch( SAMLException se ) {
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
}
} else {
}
return retResponse;
}
+ "createSAMLResponse: Matching Assertion found");
}
try {
retResponse = new FSResponse(
} catch( SAMLException se ) {
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
return null;
} catch(Exception e ) {
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", e);
return null;
}
} else {
}
return retResponse;
} else {
try {
retResponse = new FSResponse(
} catch( SAMLException se ) {
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
}
} else {
}
return retResponse;
}
} else { // build response for all the other type of request
try {
retResponse = new FSResponse(
} catch( SAMLException se ) {
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
}
}
} else {
}
return retResponse;
}
/**
* Generates artifact and sends it to <code>SP</code>.
* @return <code>true</code> always.
*/
protected boolean doSingleSignOn(
)
{
"FSSSOBrowserArtifactProfileHandler.doSingleSignOn: Called");
return true;
}
/**
* Creates assertion and assertion artifact.
*/
)
{
+ "createSAMLAssertionArtifact: Called");
}
try {
}
return artifactList;
} catch(FSException se) {
+ "createSAMLAssertionArtifact(0): ", se);
return null;
} catch(SAMLException se) {
+ "createSAMLAssertionArtifact(1): ", se);
return null;
} catch (SessionException se) {
+ "createSAMLAssertionArtifact(2): ", se);
return null;
}
}
"FSSSOBrowserArtifactProfileHandler.sendSAMLArtifacts: Called");
}
try {
+ "sendSAMLArtifacts: Sending null artifact");
}
.append("=")
.append("&");
} else {
"FSSSOBrowserArtifactProfileHandler."
+ "sendSAMLArtifacts: " + art);
}
.append("=")
.append("&");
}
}
} else {
}
.append("=")
}
+ "sendSAMLArtifacts: Sending artifacts to: " + redirecto);
}
+ "sendSAMLArtifacts: ", ex);
}
}
/**
* Generates a valid SAML artifact, in response
* to a single sign on request for a non federated user.
*/
"FSSSOBrowserArtifactProfileHandler. In createFaultSAMLArtifacts");
// create assertion id and artifact
"create FaultSAMLArtifacts: couldn't generate assertion " +
"handle.");
}
return null;
}
try {
return artis;
} catch(Exception e) {
"FSBrowserArtifactProfileHandler.createFaultSAMLArtifacts: ", e);
return null;
}
}
protected boolean verifySAMLRequestSignature(
)
{
+ "verifySAMLRequestSignature: Called");
}
try {
spDescriptor, spEntityId, false);
+ "verifySAMLRequestSignature: couldn't obtain "
+ "this site's cert.");
}
throw new SAMLResponderException(
}
} catch(Exception e){
+ "verifySAMLRequestSignature: Exception occured while "
+ "verifying IDP's signature:" , e);
return false;
}
}
}