/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: FSNameRegistrationHandler.java,v 1.7 2008/12/19 06:50:47 exu Exp $
*
*/
/**
* Work class that handles registration process.
*/
public class FSNameRegistrationHandler {
/**
* Constructor. Initializes FSAccountManager, meta Manager instance.
*/
public FSNameRegistrationHandler() {
}
/**
* Invoked to set some commonly used URLs based on hosted provider.
*/
protected void setRegistrationURL() {
}
/**
* Sets hosted provider descriptor.
* This function is called from FSServiceManager to give state to the
* name registration handler that is handling the current
* name registration. The hosted provider identifies the provider who
* is handling the registration request or initiating it locally.
* @param hostedDescriptor the Hosted provider Descriptor
*/
{
"Entered FSNameRegistrationHandler::setHostedDescriptor");
this.hostedDescriptor = hostedDescriptor;
}
/**
* Sets hosted provider's extended meta.
* @param hostedConfig hosted provider's extended meta.
*/
this.hostedConfig = hostedConfig;
}
/**
* Sets hosted provider's entity ID.
* @param hostedId hosted provider's entity ID
*/
}
/**
* Sets hosted provider's role.
* @param hostedRole hosted provider's role
*/
this.hostedProviderRole = hostedRole;
}
/**
* Sets hosted provider's meta alias.
* @param metaAlias hosted provider's meta alias
*/
try {
} catch (FSAccountMgmtException e){
managerInst = null;
}
}
/**
* Sets realm.
*
* @param realm The realm under which the entity resides.
*/
}
/**
* Sets remote provider's entity ID.
* @param remoteId remote provider's entity ID
*/
}
/**
* Sets remote provider descriptor.
* This function is called to give state to the Name registration
* handler The remote provider identifies the provider who sent a request
* or with whom registration is to be initiated.
* @param remoteDescriptor the Remote provider Descriptor
*/
"Entered FSNameRegistrationHandler::setRemoteDescriptor");
this.remoteDescriptor = remoteDescriptor;
}
/**
* Sets the UserDN.
* @param userID the user who is initiating
*/
{
}
/**
* Sets the federation account information for the
* user with a specific remote provider.
* @param acctInfo the account fed info object
*/
{
}
/**
* Determines the user based on the registration request received from
* a remote provider.
* @param regisRequest the name registration request
* @return <code>true</code> a user is found; <code>false</code> otherwise.
*/
{
try {
/**
* UserDN needs to be figured from registration request
* 1. If OldNameIdentifier does not exist then its from SP to IdP
* (first time)
* 2. If OldNameIdentifier exist then we could be SP, IdP
* Need to find out whether to replace with SPNI or IDPNI based on
* acctFedInfo that is retrieved based on OldNameIdentifier or
* IdpNameIdentifier
* If isIDP true then remote is IdP so replace remoteIdentifier
* with IDPNameIdentifier.
* If isIDP false then remote is SP so replace remoteIdentifier
* with SPNameIdentifier
*/
}
if (oldNameIdentifier == null)
{
"processRegistrationRequest IdPName : " + opaqueHandle);
}
}
if (nameQualifier != null &&
{
}
opaqueHandle );
}
return false;
}
}
try {
} catch (FSAccountMgmtException e){
return false;
}
idpNameIdentifier, spNameIdentifier, false);
return true;
} else {
}
boolean isSPEmpty = false;
if (spNameIdentifier != null &&
{
} else {
isSPEmpty = true;
}
if (nameQualifier != null &&
{
}
}
if (nameQualifier != null &&
{
}
acctkey = new FSAccountFedInfoKey(
}
acctkey = new FSAccountFedInfoKey(
"step 4");
}
if ((searchDomain != null) &&
{
acctkey = new FSAccountFedInfoKey(
"Search based on :" +
" " +
opaqueHandle );
}
}
}
return false;
} else {
}
{
}
if (isSPEmpty) {
// set spNI to null since is empty
newAcctInfo = new FSAccountFedInfo(
null,
newAcctKey = new FSAccountFedInfoKey(
} else {
newAcctInfo = new FSAccountFedInfo (
newAcctKey = new FSAccountFedInfoKey(
}
} else {
newAcctInfo = new FSAccountFedInfo (
newAcctKey = new FSAccountFedInfoKey(
}
}
} else {
}
newAcctInfo = new FSAccountFedInfo (
false);
newAcctKey = new FSAccountFedInfoKey(
}
} else {
}
if (isSPEmpty) {
// set spNI to null since is empty
newAcctInfo = new FSAccountFedInfo(
null,
newAcctKey = new FSAccountFedInfoKey(
} else {
newAcctInfo = new FSAccountFedInfo (
newAcctKey = new FSAccountFedInfoKey(
}
} else {
newAcctInfo = new FSAccountFedInfo(
newAcctKey = new FSAccountFedInfoKey(
}
}
}
}
return true;
} catch(FSAccountMgmtException e) {
}
return false;
}
/**
* Initiates the name registration operation.
* @param request HTTP request
* @param response HTTP response
* @param ssoToken corresponding to the user's session
* @return the status of the registration initiation operation.
* <code>true</code> if successful; <code>false</code> otherwise.
*/
public boolean handleNameRegistration(
)
{
"Entered FSNameRegistrationHandler::handleNameRegistration");
if (managerInst == null) {
"Account Manager instance is null");
"FSNameRegistrationHandler::handleNameRegistration" +
"failed to get Account Manager instance");
}
returnLocallyAtSource(response, false);
return false;
}
try {
this.userID =
} catch(SessionException e) {
"FSNameRegistrationHandler Constructor::SessionException:",e);
// cannot proceed without user
return false;
}
return (doRemoteRegistration());
}
/**
* Handles the name registration after sso.
* @param request HTTP request
* @param response HTTP response
* @param ssoToken corresponding to the users's session
* @return the status of the registration initiation operation.
* <code>true</code> if successful; <code>false</code> otherwise.
*/
public boolean handleNameRegistration(
{
"Entered FSNameRegistrationHandler::handleNameRegistration");
if (managerInst == null) {
"Account Manager instance is null");
"FSNameRegistrationHandler::handleNameRegistration" +
"failed to get Account Manager instance");
}
returnLocallyAtSource(response, false);
return false;
}
try {
this.userID =
} catch(SessionException e) {
"FSNameRegistrationHandler Constructor::SessionException", e);
// cannot proceed without user
return false;
}
boolean bRemoteStatus = doRemoteRegistration();
"Returning cntrol to SIngle Sign On with status " +
}
return bRemoteStatus;
}
/**
* Does local name registration and initiates remote registration with the
* IDP.
* @param LRURL the final return URL after Name registration is complete
* @param response HTTP response object
* @return <code>true</code> if successful; <code>false</code> otherwise.
*/
public boolean handleRegistrationAfterFederation(
{
"handleNameRegistration");
}
if (managerInst == null) {
"FSNameRegistrationHandler::handleNameRegistration" +
"failed to get Account Manager instance");
}
return false;
}
boolean bRemoteStatus = doRemoteRegistration();
"Completed registration after federation with status " +
}
return bRemoteStatus;
}
/**
* Initiates the name registration operation.
* @param request HTTP request
* @param response HTTP response
* @param regisResponse <code>FSNameRegistrationResponse</code> object
* @return <code>true</code> if the operation succeeds; <code>false</code>
* otherwise.
*/
public boolean processRegistrationResponse(
{
"handleRegistrationResponse");
}
this.regisResponse = regisResponse;
if (managerInst == null) {
"Account Manager instance is null");
"FSNameRegistrationHandler::handleNameRegistration" +
"failed to get Account Manager instance");
}
returnLocallyAtSource(response, false);
return false;
}
}
if (relayState == null) {
returnLocallyAtSource(response,false);
return true;
} else {
+ "for state = " + relayState);
}
returnLocallyAtSource(response,false);
return false;
} else {
// remove from the registration manager map
"OldAccountKey");
if (oldAcctKey != null) {
oldAcctKey.getName() +
"\nGet OldAcctKet Qualifier : " +
}
} else {
}
if (newAcctKey != null) {
newAcctKey.getName() +
"Get newAcctKey Qualifier : " +
}
} else {
}
boolean bStatus = doCommonRegistration();
{
"call postRegisterNameIdentifier success");
}
}
return bStatus;
}
}
} else if (responseStatus.equals(
{
"Name registration Failed. Federation does not exist");
returnLocallyAtSource(response, false);
return false;
} else if (responseStatus.equals (
{
returnLocallyAtSource(response, false);
return false;
}
return false;
}
/**
* Initiates federation registration at remote end.
* The registration request is constructed and based on the profile the
* request is sent over SOAP or as HTTP redirect. Profile is always based on
* the SPs profile.
* @return <code>true</code> if the process is successful;
* <code>false</code> otherwise.
*/
private boolean doRemoteRegistration()
{
"Entered FSNameRegistrationHandler::doRemoteRegistration");
try {
try {
}
} catch (FSAccountMgmtException e){
returnLocallyAtSource(response, false);
return false;
}
"FSNameRegistrationHandler::doRemoteRegistration create" +
" request start");
}
if (regisRequest == null) {
"FSNameRegistrationHandler::Registration request could "
+ "not be formed");
}
returnLocallyAtSource(response, false);
return false;
}
"FSNameRegistrationHandler::Registration request formed" +
"successfully");
}
// Find out which profile to use
boolean isSOAPProfile = true;
"doRemoteRegistration no registration profile" +
" cannot process request");
returnLocallyAtSource(response, false);
return false;
}
{
isSOAPProfile = true;
} else if (hostProfile.equalsIgnoreCase(
{
isSOAPProfile = false;
} else {
"doRemoteRegistration Invalid registration profile" +
" cannot process request");
returnLocallyAtSource(response, false);
return false;
}
} else {
"doRemoteRegistration no registration profile" +
" cannot process request");
returnLocallyAtSource(response, false);
return false;
}
{
isSOAPProfile = true;
} else if (remoteProfile.equalsIgnoreCase(
{
isSOAPProfile = false;
} else {
"doRemoteRegistration Invalid registration profile" +
" cannot process request");
returnLocallyAtSource(response, false);
return false;
}
}
if (isSOAPProfile)
{
"Signing suceeded. To call bindRegistrationRequest");
if (msgRegistration != null) {
try {
if(FSServiceUtils.isSigningOn()) {
int minorVersion =
if (minorVersion ==
{
regisRequest.getID());
} else if(minorVersion ==
{
} else {
"invalid minor version.");
}
}
"sendRegistrationMessage");
}
} catch (SOAPException e) {
returnLocallyAtSource(response, false);
return false;
returnLocallyAtSource(response, false);
return false;
}
if (retSOAPMessage == null) {
+ "return response is null");
}
returnLocallyAtSource(response, false);
return false;
}
+ "parseSOAPMessage after return from IDP");
}
{
{
+ "signature verification failed");
" failed in doRemoteRegistration");
}
returnLocallyAtSource(response, false);
return false;
}
}
"Response signature verification succeeded");
{
try {
new FSNameRegistrationResponse (elt);
} catch (SAMLException e){
}
if (regisResponse != null){
((regisResponse.getStatus()).
getStatusCode()).getValue();
if (responseStatus.equals(
{
"Name registration Successful");
// do local update
if (oldAcctKey != null) {
"Get OldAcctKet Name : " +
oldAcctKey.getName() +
"\nGet OldAcctKet Qualifier:" +
}
} else {
"OldAccount Key is null");
}
if (newAcctKey != null)
{
"Get newAcctKey Name : " +
newAcctKey.getName() +
"\nGet newAcctKey Qualifier:" +
}
} else {
"newAcctKey Key is null");
}
regisSource = (String)
boolean bStatus = doCommonRegistration();
"doCommonRegistration returns " +
bStatus);
}
// Call SP Adapter
{
}
return bStatus;
} else if (responseStatus.equals(
{
"registration Failed. " +
"Federation does not exist");
}
response, false);
return false;
} else if (responseStatus.equals (
{
"Name registration Failed.");
response, false);
return false;
}
}
}
}
}
returnLocallyAtSource(response, false);
return false;
} else {
"FSNameRegistrationHandler::doRemoteRegistration " +
"In Redirect profile");
}
// addition of relay state
}
// add information to FSRegistrationMap
}
// sat1 add null checks
"\nPutting in Map Value : " + value);
}
}
// Sign the request querystring
if (FSServiceUtils.isSigningOn()) {
"FSBrowserArtifactConsumerHandler:: " +
"signSAMLRequest:" +
"couldn't obtain this site's cert alias.");
}
throw new SAMLResponderException(
}
}
} else {
}
redirectURL.toString());
}
// end of addition
return true;
}
} catch (IOException e) {
} catch (FSMsgException e) {
"FSNameRegistrationHandler::doRemoteRegistration " +
} catch (SAMLResponderException e) {
"FSNameRegistrationHandler::doRemoteRegistration " +
}
returnLocallyAtSource(response, false);
return false;
}
/**
* Processes the registration request received from a
* remote provider. Invoded when Http redirect profile is used.
* @param request HTTP request
* @param response HTTP response
* @param regisRequest the name registration request received from
* remote provider
*/
public void processRegistrationRequest(
{
"processRegistrationRequest...");
}
this.regisRequest = regisRequest;
if (managerInst == null) {
"FSNameRegistrationHandler " +
"FSNameRegistrationHandler::handleNameRegistration" +
"failed to get Account Manager instance");
}
return;
}
if (!bUserStatus) {
"Name registration request");
}
return;
}
boolean retStatus = doCommonRegistration();
}
if (retStatus) {
"FSNameRegistrationHandler::handleNameRegistration"
+ "registration in DS completed successfully");
}
try {
null,
new Status(statusCode),
if (hostedProviderRole != null &&
{
}
} catch (FSMsgException e) {
"failed to create registration response", e);
}
} catch (SAMLException e) {
"failed to create registration response", e);
}
}
} else { // retStatus is false
"FSNameRegistrationHandler::handleNameRegistration"
+ "registration in DS failed");
}
try {
statusCode = new StatusCode(
null,
new Status(statusCode),
} catch (FSMsgException e) {
"failed to create registration response", e);
}
} catch (SAMLException e) {
"failed to create registration response, e");
}
}
}
return;
}
/**
* Processes the name registration request received from a
* remote provider. Invoded when SOAP profile is used.
* @param regisRequest the name registration request received from
* remote provider
*/
{
try {
boolean regisSucceed = false;
"Entered FSNameRegistrationHandler::processRegistrationRequest");
if (managerInst == null) {
"FSNameRegistrationHandler Account Manager instance is null");
"FSNameRegistrationHandler::handleNameRegistration" +
"failed to get Account Manager instance");
}
statusCode = new StatusCode(
try {
null,
new Status(statusCode),
} catch (FSMsgException e) {
+ "failed to create registration response");
}
return null;
}
return regisResponse;
}
"Begin processRegistrationRequest SOAP profile...");
if (regisRequest != null) {
if (bUserStatus) {
boolean retStatus = doCommonRegistration();
}
if (retStatus) {
"FSNameRegistrationHandler::handleNameRegistra"
+ "tion:registration in DS completed "
+ "successfully");
}
try {
statusCode = new StatusCode(
null,
new Status(statusCode),
regisSucceed = true;
} catch (FSMsgException e) {
"FSNameRegistrationHandler::" +
"failed to create registration response");
}
return null;
} catch (SAMLException ex) {
"FSNameRegistrationHandler::" +
"failed to create registration response");
}
return null;
}
} else {
"FSNameRegistrationHandler::handleNameRegis" +
"tration: registration in DS failed");
}
try {
statusCode = new StatusCode(
null,
new Status(statusCode),
} catch (FSMsgException e) {
"FSNameRegistrationHandler::" +
"failed to create registration response");
}
return null;
} catch (SAMLException ex) {
"FSNameRegistrationHandler::" +
"failed to create registration response");
}
return null;
}
}
} else {
"Failed to get UserDN. Invalid registration request");
try {
statusCode = new StatusCode(
null,
new Status(statusCode),
} catch (FSMsgException e) {
"FSNameRegistrationHandler::" +
"failed to create registration response");
}
return null;
} catch (SAMLException ex) {
"FSNameRegistrationHandler::" +
"failed to create registration response");
}
return null;
}
}
} else {
"FSNameRegistrationHandler::processRegistrationRequest " +
"name registration request is improper");
return null;
}
{
}
return regisResponse;
} catch (SAMLException e){
"FSNameRegistrationHandler::SAMLException", e);
}
return null;
}
}
/**
* Redirects to final destination after registration. Invoked at the end of
* the registration operation at the end where registration was initiated.
* The isSuccess determines if a success message or a failure message is
* displayed.
* @param response <code>HttpServletResponse</code> object
* @param isSuccess determines the content of the registration-done.jsp
*/
public void returnLocallyAtSource(
{
try {
}
} catch (IOException e) {
return;
}
.append("/")
// sat1 add null checks
}
try {
}
} catch (IOException e) {
"Error when redirecting back to SSO service", e);
return;
}
try {
"Entered returnLocallyAtSource with isSuccess set to "
+ isSuccess);
}
char delimiter;
< 0)
{
} else {
}
if (isSuccess) {
} else {
}
} catch(IOException e) {
"Exception in returnLocallyAtSource:" , e);
}
}
}
return;
}
/**
* Signs the Name registration request before sending it to the IDP.
* @param msg the request message to be sent to IDP
* @param idAttrName name of the id attribute to be signed
* @param id the value of the id attribute to be signed
* @return signed Name registration request
* @exception SAMLException, FSMsgException if error occurred.
*/
throws SAMLException, FSMsgException
{
"Entered FSNameRegistrationHandler::signRegistrationRequest");
"signRegistrationRequest: couldn't obtain "
+ "this site's cert alias.");
}
throw new SAMLResponderException(
}
+ "Request Provider's certAlias is found: " + certAlias);
}
id,
false,
xpath);
}
/**
* Verifies the Name registration response received
* from the IDP before processing locally.
* @param msg the response message
* @param isIDP whether the remote provider is an IDP or not
* @return <code>true</code> if signature is valid; <code>false</code>
* otherwise.
*/
protected boolean verifyResponseSignature(
"Entered FSNameRegistrationHandler::verifyResponseSignature");
try{
+ "couldn't obtain this site's cert .");
}
throw new SAMLResponderException(
}
+ ": Provider's cert is found.");
}
} catch (SAMLException e){
return false;
}
}
/**
* Generates the Name Registration request.
* @return FSNameRegistrationRequest
*/
{
try {
"createNameRegistrationRequest");
}
{
"calling of generateNameIdentifier Role : IdP ? " +
}
if (acctInfo.getAffiliation()) {
if (affiliationID != null) {
}
} else {
}
"out of generateNameIdentifier ****" +
"\nNew SP nameIdentifier Qualifier: " +
"\nNew SP nameIdentifier Name :" +
}
if (localIdentifier != null) {
localIdentifier.getFormat()));
try {
oldAcctKey = new FSAccountFedInfoKey(
} catch (FSAccountMgmtException e){
oldAcctKey = null;
}
} else {
// when Service Provider sends the name reg. request
// for the first time, OldProvidedNameIdentifier is
// same as the IDPProvidedNameIdentifier as per the spec
try {
oldAcctKey = new FSAccountFedInfoKey(
} catch (FSAccountMgmtException e){
oldAcctKey = null;
}
}
try {
if (oldAcctKey != null) {
oldAcctKey.getName() +
"\nGet OldAcctKet Qualifier : "+
}
} else {
}
} catch (FSAccountMgmtException e){
return null;
}
} else {
}
if (acctInfo.getAffiliation()) {
if (affiliationID != null) {
}
}
"New IDP nameIdentifier Name : " +
"\nNew IDP nameIdentifier Qualifier :"+
"out of generateNameIdentifier*****");
}
"Old IDP nameIdentifier Name : " +
"\nOld IDP nameIdentifier Qualifier :"+
}
localIdentifier.getFormat()));
if (remoteIdentifier != null) {
"SP nameIdentifier Name : " +
"SP nameIdentifier Qualifier :" +
}
new SPProvidedNameIdentifier (
}
try {
if (oldAcctKey != null) {
"Get OldAcctKet Name : " +
oldAcctKey.getName() +
"\nGet OldAcctKet Qualifier: "+
}
} else {
}
} catch (FSAccountMgmtException e){
return null;
}
}
return reqName;
}
} catch (SAMLException e){
}
}
return null;
}
/**
* Performs the operations on the users federated account at both the SP
* side, IDP side. The input parameters are generated
* at SP side and at the IDP side it is retrieved from the request received.
* @return <code>true</code> if the operation succeeded; <code>false</code>
* otherwise.
*/
private boolean doCommonRegistration() {
try{
// Get userID
}
if (oldAcctKey != null)
{
}
}
} else {
}
}
}
{
if (ssoSession != null) {
}
}
return true;
} catch(FSAccountMgmtException e){
}
return false;
}
}
/**
* Generates the <code>SPProvidedNameIdentifier</code> that will be
* communicated to the IDP. The IDP will in all future communication use
* this Name Identifier instead of the
* <code>IDPProvidedNameIdentifier</code>.
* @return Service Provider generated Name identifier
*/
try {
"Entered FSNameRegistrationHandler::generateNameIdentifier");
+ "ier returned null");
return null;
} else {
return nameIdentifier;
}
} catch (SAMLException e){
return null;
}
}
private void sendRegistrationResponse()
{
if (regisResponse != null) {
try {
} catch (FSMsgException e){
}
// Sign the request querystring
if (urlEncodedRequest != null){
if (FSServiceUtils.isSigningOn()) {
"FSBrowserArtifactConsumerHandler:: " +
"signSAMLRequest:" +
"couldn't obtain this site's cert alias.");
}
}
if (urlEncodedRequest != null) {
}
}
}
if (urlEncodedRequest != null) {
{
} else {
}
"FSNameRegistrationHandler::Redirect URL is " +
redirectURL.toString());
}
}
}
}
try {
return;
} catch (IOException e) {
return;
}
}
private void callPostRegisterNameIdentifierSuccess(
{
"call postRegisterNameIdentifier success");
}
try {
} catch (Exception e) {
// ignore adapter exception
regProfile, e);
}
}
}
}