a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: FSNameMappingHandler.java,v 1.3 2008/06/25 05:47:02 qcheng Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.federation.services.namemapping;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountMgmtException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountFedInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.IFSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSNameIdentifierMappingResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSNameIdentifierMappingRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.util.FSServiceUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Handles <code>ID-FF</code> name identifier mapping.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private ProviderDescriptorType hostedProviderDesc = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Construct a <code>FSNameMappingHandler</code> object for a provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityID hosted provider's entity id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedDesc hosted provider's meta descriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedConfig hosted provider's extended meta config
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias hsoted provider's meta alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSNameMappingHandler: entering constructor");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.realm = IDFFMetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster accountMgr = FSAccountManager.getInstance(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IFSConstants.FEDERATION_FAILED_ACCOUNT_INSTANCE));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns <code>NameIdentifier</code> of a provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userID user id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param remoteEntityID the provider id whose
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>NameIdentifier</code> is to be returned.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param local <code>true</code> if <code>remoteProviderID</code> is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * a local provider; <code>false</code> otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>NameIdentifier</code> of an user corresponding to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>remoteProviderID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception FSAccountMgmtException, SAMLException if an error occurred.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster accountMgr.readAccountFedInfo(userID, remoteEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIdentifier = accountInfo.getLocalNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier remoteNI = accountInfo.getRemoteNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIdentifier = accountInfo.getRemoteNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier localNI = accountInfo.getLocalNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIdentifier.setFormat(IFSConstants.NI_FEDERATED_FORMAT_URI);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns <code>NameIdentifier</code> of a remote provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param mappingRequest name ID mapping request object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param remoteEntityID the remote provider id whose
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>NameIdentifier</code> is to be returned.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param local <code>true</code> if <code>remoteProviderID</code> is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * a local provider; <code>false</code> otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>NameIdentifier</code> corresponding to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>remoteProviderID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception FSAccountMgmtException, SAMLException if an error occurred.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAccountFedInfoKey acctkey = new FSAccountFedInfoKey(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mappingRequest.getNameIdentifier().getName().trim());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster env.put(IFSConstants.FS_USER_PROVIDER_ENV_NAMEMAPPING_KEY,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userID = accountMgr.getUserID(acctkey, realm, env);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getNameIdentifier(userID, remoteEntityID, local);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Verifies signature on name identifier mapping response.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param elt <code>DOM</code> element which contains
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>FSNameIdentifierMappingResopnse</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param msg <code>SOAPMessage</code> object which contains signed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * name identifier mapping response.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm in which the provider resides
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>true</code> if the signature is valid; <code>false</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean verifyNameIdMappingResponseSignature(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSNameMappingHandler.verifyNameIdMappingResponseSignature:Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSNameMappingHandler.verifyNameIdMappingResponseSignature:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Unable to get meta manager");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getIDPDescriptor(realm, entityId), entityId, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifyNameIdMappingResponseSignature: couldn't obtain "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "the cert for signature verification.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSNameMappingHandler.verifyNameIdMappingResponseSignature:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Provider's cert is found.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSNameMappingHandler.verifyNameIdMappingResponseSignature:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "xmlString to be verified: " + XMLUtils.print(elt));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = (Document)FSServiceUtils.createSOAPDOM(msg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignatureManager manager = XMLSignatureManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSNameMappingHandler.verifyNameIdMappingResponseSignature: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Exception occured while verifying signature:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;