/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: FSFedTerminationHandler.java,v 1.7 2009/11/03 00:49:26 madan_ranganath Exp $
*
* Portions Copyrighted 2015-2016 ForgeRock AS.
*/
/**
*/
public class FSFedTerminationHandler {
/**
* Constructor. Initializes FSAccountManager, FSAllianceManager instance.
*/
public FSFedTerminationHandler() {
}
/**
* Invoked to set some commonly used URLs based on hosted provider.
*/
protected void setTerminationURL() {
}
/**
* Sets state to the Federation Termination handler that is handling the
* current federation termination. The hosted provider identifies the
* provider who is handling the termnation request or initiating it locally.
* @param hostedDescriptor the Hosted provider Descriptor
*/
{
"Entered FSSPFedTerminationHandler::setHostedDescriptor");
this.hostedDescriptor = hostedDescriptor;
}
/**
* Sets hosted provider's extended meta.
* @param hostedConfig hosted provider's extended config
*/
this.hostedConfig = hostedConfig;
}
/**
* Sets hosted provider's entity ID.
* @param hostedId hosted provider's entity id
*/
}
/**
* Sets hosted provider's role.
* @param hostedProviderRole hosted provider's role
*/
this.hostedProviderRole = hostedProviderRole;
}
/**
* Sets hosted provider's meta alias.
* @param metaAlias hosted provider's meta alias
*/
try {
} catch (Exception e){
managerInst = null;
}
}
/**
* Sets realm.
* @param realm The realm under which the entity resides.
*/
}
/**
* Sets remote provider's entity ID.
* @param remoteId remote provider's entity id
*/
}
/**
* Sets state to the Federation Termination handler that is handling the
* current federation termination. The remote provider identifies the
* provider who sent a request or with whom termination is to be initiated.
* @param remoteDescriptor the Remote provider Descriptor
*/
"Entered FSFedTerminationHandler::setRemoteDescriptor");
this.remoteDescriptor = remoteDescriptor;
}
/**
* Sets the UserID.
* @param userID the user who is initiating the termination process
*/
}
/**
* Sets the federation account information for the user with a specific
* remote provider.
* @param acctInfo the account fed info object
*/
}
/**
* Finds the user based on the termination request received from a remote
* provider.
* @param reqTermination the termination request
* @return <code>true</code> if the user is found; <code>false</code>
* otherwise.
*/
{
try {
// UserDN needs to be figured from termination request
if (managerInst != null) {
}
+ opaqueHandle);
}
+ associatedDomain);
}
}
if ((associatedDomain != null) &&
{
}
acctkey = new FSAccountFedInfoKey(
return false;
}
}
}
return true;
}
} catch(FSAccountMgmtException e) {
}
return false;
}
/**
* Initiates the federation termination operation.
* @param request HTTP request
* @param response HTTP response
* @param ssoToken corresponding to the user's session
* @return <code>true</code> if the termination initiation operation is
* successful; <code>false</code> otherwise.
*/
public boolean handleFederationTermination(
{
"Entered FSFedTerminationHandler::handleFederationTermination");
if (managerInst == null) {
"Account Manager instance is null");
"FSSPFedTerminationHandler::handleFederationTermination" +
"failed to get Account Manager instance");
}
response, termination_done_url, false,
return false;
}
try {
this.userID =
} catch(SessionException e) {
"FSFedTerminationHandler::handleFederationTermination:", e);
// cannot proceed without user
return false;
}
if (!bStatus) {
"FSSPFedTerminationHandler::handleFederationTermination "
+ "Federation Termination failed locally. Cannot update "
+ "account");
}
response, termination_done_url, false,
return false;
}
boolean bRemoteStatus = doFederationTermination(
return bRemoteStatus;
}
/**
* Updates the user account information. After sucessful operation,
* the federation status corresponding to the user with the remote provider
* is set to inactive.
* @param ni <code>NameIdentifier</code> object corresponding to a user
* @return boolean containing the status of the update operation
*/
try {
"FSFedTerminationHandler::updateAccountInformation: start");
// get name identifier to remove it from federation info key
if(nameQualifier != null &&
{
}
}
} else {
}
}
}
"updateAccountInformation deactivate successfully completed");
}
} catch (FSAccountMgmtException e) {
"FSFedTerminationHandler::updateAccountInformation " +
return false;
}
// Clean SessionMap off the partner to be done here.
"Cleaning Session manager for user : " + userID);
"Cleaning Session manager for remote provider: " +
"Cleaning Session manager for hosted provider: " +
}
return true;
}
/**
* Processes the termination request received from a
* remote provider. Invoded when Http redirect profile is used.
* @param request HTTP request
* @param response HTTP response
* @param reqTermination the federation termination request received from
* remote provider
*/
public void processTerminationRequest(
{
"Entered FSFedTerminationHandler::processTerminationRequest...");
if (managerInst == null) {
"FSSPFedTerminationHandler::handleFederationTermination" +
"failed to get Account Manager instance");
}
return;
}
boolean bStatus = updateAccountInformation(
if (!bStatus) {
return;
}
// Call SP Adaper for remote IDP initiated HTTP profile
if (hostedProviderRole != null &&
{
try {
} catch (Exception e) {
// ignore adapter exception
}
}
}
return;
}
/**
* Processes the termination request received from a
* remote provider. Invoded when SOAP profile is used.
* @param reqTermination the federation termination request received from
* remote provider
* @return <code>true</code> when the process is successful;
* <code>false</code> otherwise.
*/
public boolean processSOAPTerminationRequest(
{
"Entered FSFedTerminationHandler::processSOAPTerminationRequest");
if (managerInst == null) {
"Account Manager instance is null");
"FSSPFedTerminationHandler::handleFederationTermination" +
"failed to get Account Manager instance");
}
return false;
}
"Begin processTerminationRequest SOAP profile...");
}
boolean bStatus = false;
if (reqTermination != null) {
if (bUserStatus) {
if (!bStatus) {
return false;
} else {
// Call SP Adapter for remote IDP initiated SOAP case
if (hostedProviderRole != null &&
{
"FSFedTerminationHandler.SOAP");
try {
} catch (Exception e) {
// ignore adapter exception
}
}
}
return true;
}
} else {
"Failed to get UserDN. Invalid termination request");
return false;
}
} else{
"FSFedTerminationHandler::processTerminationRequest " +
"Federation termination request is improper");
return false;
}
}
/**
* Resets ederate cookie when termination is done with one remote provider.
* If no active federations exists then the cookie is set to "no"; otherwise
* it is set to "yes".
*/
public void resetFederateCookie() {
try {
return;
} else {
"User : " + userID +
}
} else {
"User : " + userID +
}
}
}
}
}
}
} catch (FSAccountMgmtException e) {
return;
}
}
/**
* Determines the return location and redirects based on
* federation termination Return URL of the provider that sent the
* termination request.
*/
private void returnToSource() {
"Entered FSFedTerminationHandler::returnToSource");
try {
}
return;
} else {
char delimiter;
} else {
}
}
}
return;
}
} catch (IOException e) {
+ " processing completed", e);
}
// create new bundle entry for redirect failure
return;
}
/**
* Signs Federation termination request before sending it to the remote
* provider.
* @param msg <code>SOAPMessage</code> which includes termination request
* to be sent to remote provider
* @param idAttrName name of the id attribute to be signed
* @param id the value of the id attributer to be signed
* @return signed termination request in <code>SOAPMessage</code>
* @exception SAMLException if an error occurred during signing
*/
throws SAMLException
{
"FSSPFedTerminationHandler.signTerminationRequest: Called");
"FSSPFedTerminationHandler.signTerminationRequest: couldn't"
+ "obtain this site's cert alias.");
}
throw new SAMLResponderException(
}
"FSSPFedTerminationHandler.signTerminationRequest: Provider's "
+ "certAlias is found: " + certAlias);
}
id,
false,
xpath);
}
/**
* Generates Federation termination request based onthe
* <code>FSAccountFedInfo</code> object that represents the account
* federation for a user between 2 providers.
* @param acctInfo represents the current user account information
* @return termination request message
*/
{
"FSFedTerminationHandler::createFederationTerminationRequest:");
if (nameIdentifier == null) {
}
}
// TODO: Any more member settings + signature
return reqName;
} else {
"FSFedTerminationHandler::createFederationTerminationRequest " +
return null;
}
}
/**
* Initiates federation termination at remote end.
* The termination requested is constructed and based on the profile the
* request is sent over SOAP or as HTTP redirect. Profile is always based on
* the SPs profile
* @param acctInfo represents the user account federation information
* @return <code>true</code> if termination request is sent to remote
* provider successfully; <code>false</code> otherwise.
*/
private boolean doFederationTermination(
{
"Entered FSFedTerminationHandler::doFederationTermination");
try {
"FSFedTerminationHandler::doFederationTermination create" +
" request start");
}
if (reqFedTermination == null) {
"FSIDPFedTerminationHandler::Termination request could "
+ "not be formed");
}
// Always show success page since local termination succeeded
response, termination_done_url, true,
return false;
}
"FSIDPFedTerminationHandler::Termination request formed" +
"successfully");
}
// Find out which profile to use
boolean isSOAPProfile = true;
"doFederationTermination no termination profile" +
" cannot process request");
response, termination_done_url, true,
return false;
}
if (profile.equalsIgnoreCase(
{
isSOAPProfile = true;
} else if (profile.equalsIgnoreCase(
{
isSOAPProfile = false;
} else {
"doFederationTermination Invalid termination profile" +
" cannot process request");
response, termination_done_url, true,
return false;
}
} else {
"doFederationTermination no termination profile" +
" cannot process request");
response, termination_done_url, true,
return false;
}
if (profile.equalsIgnoreCase(
{
isSOAPProfile = true;
} else if (profile.equalsIgnoreCase(
{
isSOAPProfile = false;
} else {
"doFederationTermination Invalid termination profile" +
" cannot process request");
response, termination_done_url, true,
return false;
}
}
if (isSOAPProfile) {
"Signing suceeded. To call bindTerminationRequest");
//String id = reqFedTermination.getRequestID();
reqFedTermination.toXMLString(true, true));
if (msgTermination != null) {
try {
if (FSServiceUtils.isSigningOn()) {
int minorVersion =
if (minorVersion ==
{
} else if(minorVersion ==
{
} else {
"invalid minor version.");
}
}
boolean sendStatus =
// Call SP Adapter for SP initiated SOAP profile
if (hostedProviderRole != null &&
{
try {
} catch (Exception e) {
// ignore adapter exception
e);
}
}
}
// Always show success page since local termination
// succeeded and that is what is important
response, termination_done_url, true,
return sendStatus;
} catch (Exception e) {
"FSFedTerminationHandler::" +
"doFederationTermination " +
// Always show success page since local
// termination succeeded
response, termination_done_url, true,
return false;
}
} else {
"FSSPFedTerminationHandler::doFederation" +
"Termination failed. Error in forming Message");
}
"FSSPFedTerminationHandler.doFederationTermination "
// Always show success page since local termination
// succeeded
response, termination_done_url, true,
return false;
}
}
"FSFedTerminationHandler::doFederationTermination " +
"failed. Cannot get Service Manager instance");
}
"FSSPFedTerminationHandler::doFederationTermination " +
// Always show success page since local termination succeeded
response, termination_done_url, true,
return false;
} else {
"FSFedTerminationHandler::doFederationTermination " +
"In Redirect profile");
}
// Sign the request querystring
if (FSServiceUtils.isSigningOn()) {
"FSBrowserArtifactConsumerHandler:: " +
"signSAMLRequest:" +
"couldn't obtain this site's cert alias.");
}
throw new SAMLResponderException(
}
}
}
} else {
}
"FSFedTerminationHandler::Redirect URL is " +
redirectURL.toString());
}
// Call SP Adaper for SP initiated HTTP profile
// ideally this should be called from the
// FSTerminationReturnServlet, but info not available there
if (hostedProviderRole != null &&
{
try {
} catch (Exception e) {
// ignore adapter exception
}
}
}
return true;
}
} catch (IOException e) {
} catch (FSMsgException e) {
"FSFedTerminationHandler::doFederationTermination " +
} catch (SAMLResponderException e) {
"FSFedTerminationHandler::doFederationTermination " +
}
// Always show success page since local termination succeeded
response, termination_done_url, true,
return false;
}
}