/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AssertionManager.java,v 1.13 2010/01/09 19:41:06 qcheng Exp $
*
* Portions Copyrighted 2013-2015 ForgeRock AS.
*/
/**
* The class <code>AssertionManager</code> is a <code>final</code> class
* that provides interfaces to create, get and destroy <code>Assertion</code>s.
* <p>
* It is a singleton class; an instance of this class can be obtained by
* calling <code>AssertionManager.getInstance()</code>.
* <p>
* Having obtained an instance of <code>AssertionManager</code>, its methods
* <code>AssertionArtifact</code>, and to obtain decision from an
* <code>Query</code>.
* <p>
* This class could only be used in the same JVM as OpenAM.
* @supported.api
*/
public final class AssertionManager {
// General stats class
// Assertion Statistics Class
// Artifact Statistics Class
"com.sun.identity.authentication.super.user";
private static long cleanUpInterval;
private static long assertionTimeout;
private static long artifactTimeout;
private static long notBeforeSkew;
static {
try {
} catch (SessionException se) {
se);
}
}
// Singleton instance of AssertionManager
// used to store artifact to assertionID mapping
// used to store assertionIDString to entry mapping
private class Entry {
{
}
return assertion;
}
return destID;
}
}
return artString;
}
}
return token;
}
}
private class ArtEntry {
this.expiretime = expiretime;
}
return aID;
}
public long getExpireTime() {
return expiretime;
}
}
/**
* Default Constructor
*/
private AssertionManager() {
idEntryMap = new HashMap();
artEntryMap = new HashMap();
try {
} catch (Exception e) {
}
}
};
}
};
}
}
/**
* Gets the singleton instance of <code>AssertionManager</code>.
* @return The singleton <code>AssertionManager</code> instance
* @throws SAMLException if unable to get the singleton
* <code>AssertionManager</code> instance.
* @supported.api
*/
// not throwing any exception
synchronized (AssertionManager.class) {
+ " of AssertionManager");
}
instance = new AssertionManager();
}
}
}
return instance;
}
/**
* This method creates an Assertion that contains an
* <code>AuthenticationStatement</code>.
* @param token user's session object that contains authentication
* information which is needed to create the
* <code>AuthenticationStatement</code>.
* @return Assertion The created Assertion.
* @throws SAMLException If the Assertion cannot be created.
* @supported.api
*/
throws SAMLException
{
} else if(assertionVersion.equals(
} else {
"assertionVersionNotSupport"));
}
}
/**
* This method creates an Assertion that contains an
* <code>AuthenticationStatement</code> and
* an <code>AttributeStatement</code>.
* @param token User' session object that contains authentication
* information which is needed to create the
* <code>AuthenticationStatement</code> for the Assertion.
* @param attributes A list of Attribute objects which are used to
* create the <code>AttributeStatement</code> for the Assertion.
* @return Assertion The created Assertion.
* @throws SAMLException If the Assertion cannot be created.
* @supported.api
*/
throws SAMLException
} else if (assertionVersion.equals(
} else {
"assertionVersionNotSupport"));
}
}
throws SAMLException
{
+ "input Session is null.");
}
if (sessionProvider == null) {
"nullSessionProvider"));
}
}
/**
* This method creates an <code>AssertionArtifact</code> for the given
* Assertion.
*
* @param assertion The Assertion for which an Artifact needs to be created.
* @param destID The <code>sourceID</code> of the site for which the
* <code>AssertionArtifact</code> is created. It is in raw String
* format (not Base64 encoded, for example.) This String can be
* obtained from converting the 20 bytes sequence to char Array, then
* from the char Array to String.
* @return <code>AssertionArtifact</code>
* @throws SAMLException If the <code>AssertionArtifact</code> cannot be
* created.
* @supported.api
*/
throws SAMLException
{
+ "fact(Assertion, String): null input.");
}
"(Assertion, String): destID not in partner list.");
throw new SAMLException(
}
+ "Artifact(Assertion,String): couldn't generate "
+ "assertion handle.");
throw new SAMLResponderException(
}
}
}
try {
synchronized (idEntryMap) {
}
{
}
} catch (Exception e) {
+ "Artifact(Assertion,String): couldn't add to "
+ "idEntryMap." + e);
throw new SAMLResponderException(
}
} else {
}
} else {
}
if (preArtString != null) {
{
}
{
}
+ "Artifact(Asssertion, String): Artifact exists for "
+ "the assertion.");
throw new SAMLResponderException(
} else {
{
}
}
}
}
// add to artEntry map
try {
synchronized (artEntryMap) {
}
}
}
} catch (Exception e) {
+ "fact(Assertion,String): couldn't add artifact to the "
+ "artEntryMap", e);
throw new SAMLResponderException(
}
return art;
}
/**
* This method gets all valid Assertions managed by this
* <code>AssertionManager</code>.
* @param token User's session object which is allowed to get all
* Assertion.
* @return A Set of valid Assertion IDs. Each element in the Set is a
* String representing an Assertion ID.
* @throws SAMLException If this method can not gets all valid Assertions.
* @supported.api
*/
throws SAMLException
{
+ "): input session is null.");
}
if (!isSuperUser(token)) {
+ "): Session doesn't have the privilege.");
}
return idEntryMap.keySet();
}
try {
if (sessionProvider == null) {
return false;
}
}
} catch (Exception e) {
"AssertionManager.isSuperUser:Exception: ", e);
}
}
return false;
}
/**
* This method gets the Assertion based on the Assertion ID.
* @param id The Assertion ID.
* @return An Assertion identified by the Assertion ID.
* @throws SAMLException If this method can not get the Assertion.
*/
throws SAMLException
{
+ "id is null.");
}
}
/**
* This method gets all valid <code>AssertionArtifacts</code>
* managed by this <code>AssertionManager</code>.
*
* @param token User's session object which is allowed to get all
* <code>AssertionArtifacts</code>.
* @return A Set of valid <code>AssertionArtifacts</code>. Each element in
* the Set is an <code>AssertionArtifacts</code> object representing
* an artifact.
* @throws SAMLException If this method can not gets all valid
* <code>AssertionArtifacts</code>.
* @supported.api
*/
throws SAMLException
{
"Object token): input token is null.");
}
if (!isSuperUser(token)) {
"Object token): Session doesn't have the privilege.");
}
return artEntryMap.keySet();
}
/**
* Returns Assertion that contains <code>AuthenticationStatement</code>.
* @param id The String that contains authentication information which
* is needed to create the assertion. It could be a string
* representation of an id, a cookie, etc.
* @param artifact the value to be set in the SubjectConfirmation of the
* <code>AuthenticationStatement</code>. If it's null,
* <code>SubjectConfirmation</code> is set to bearer.
* @param destID A String that is the site the assertion is created for.
* @param targetUrl A URL String representing the target site
* @param version The relying party preferred Assertion version number.
* @return Assertion The created Assertion.
* @throws SAMLException If the Assertion cannot be created.
*/
throws SAMLException {
}
/**
* Returns Assertion that contains <code>AuthenticationStatement</code>.
* @param id The String that contains authentication information which
* is needed to create the assertion. It could be a string
* representation of an id, a cookie, etc.
* @param artifact the value to be set in the SubjectConfirmation of the
* <code>AuthenticationStatement</code>. If it's null,
* <code>SubjectConfirmation</code> is set to bearer.
* @param request The HttpServletRerquest object of the request.
* @param response The HttpServletResponse object.
* @param destID A String that is the site the assertion is created for.
* @param targetUrl A URL String representing the target site
* @param version The relying party preferred Assertion version number.
* @return Assertion The created Assertion.
* @throws SAMLException If the Assertion cannot be created.
*/
throws SAMLException
{
if (partnerEntry != null) {
try {
if (sessionProvider == null) {
"nullSessionProvider"));
}
} else {
} else {
}
}
}
} catch ( SessionException ssoe) {
+ " exception retrieving info from the Session", ssoe);
return null;
}
}
// SAML post profile
// set minor version to 1
} else {
// set minor version to 0
}
} else {
} else {
" is not supported.");
return null;
}
}
}
{
// check input
+ "null input.");
}
}
try {
if (sessionProvider == null) {
"nullSessionProvider"));
}
authInstant = new Date();
} else {
}
try {
} catch (Exception e) {
// catching exception here since client ip is optional
"createAssertion(id):" +
"exception when obtaining client ip: ", e);
}
}
} catch (Exception e) {
"createAssertion(id):" +
" exception retrieving info from the Session: ", e);
return null;
}
if (partnerEntry != null) {
}
niMapper = new DefaultNameIdentifierMapper();
}
"name identifier is null.");
return null;
}
} else {
if (minorVersion == 0) {
// set default for SAML Artifact profile
// here, we use SAML 1.0 confirmation method as default.
} else {
}
} else {
// set to bearer for POST profile
}
}
}
}
}
// TODO: this period will be different for bearer
// TODO:set AuthorityBinding if any
{
}
try {
synchronized (idEntryMap) {
}
}
}
} catch (Exception e) {
+ "to idEntryMap.", e);
}
throw new SAMLResponderException(
}
} else {
}
// put artifact in artEntryMap
try {
synchronized (artEntryMap) {
}
}
}
} catch (Exception e) {
+ "artifact to the artEntryMap.", e);
}
throw new SAMLResponderException(
}
}
// create a listener and add the listener to the token
try {
} catch (SessionException e) {
+ " Couldn't add listener to session:", e);
} catch (UnsupportedOperationException uoe) {
+ " Operation add listener to session not supported:",
uoe);
}
}
return assertion;
}
/**
* Deletes an assertion from the server. This method is used by the
* AssertionSSOTokenListener and cleanup method in the package.
* @param assertionID the id of the Assertion to be deleted.
* @param artifact the artifact associated with this assertionID.
* When it's null, no artifact is associated with this assertionID.
*/
// this is the case when Session expired, and the assertion
// was created for artifact
"assertionArtifactRemoved"), artifact};
}
if (assertionID != null) {
// this is the case when assertion expired, check to see
// if the assertion is associated with an artifact
synchronized (artEntryMap) {
}
"assertionArtifactRemoved"), artifact};
}
}
}
} else {
synchronized (idEntryMap) {
}
}
}
}
/**
* Gets assertion associated with the AssertionArtifact.
* @param artifact An AssertionArtifact.
* @param destID A Set of String that represents the destination site id.
* The destination site requesting the assertion using
* the artifact. This String is compared with the destID that
* the artifact is created for originally.
* @param destCheckFlag true if desire to match the destionation id,
* otherwise it is false. If it is false, destID can
* be any string, including null.
* @return The Assertion referenced to by artifact.
* @throws SAMLException If an error occurred during the process, or no
* assertion maps to the input artifact.
*/
boolean destCheckFlag)
throws SAMLException {
}
// check the destination id; also if this artifact exists
// get server id.
// call AssertionManagerClient.getAssertion
"destid: calling another server in lb site:" + remoteUrl);
}
} // else
// get the assertion ID
long timeout = 0;
}
}
+ "stid): no Assertion found corresponding to artifact.");
}
throw new SAMLException(
} else {
}
}
+ "stid): no AssertionID found corresponding to artifact.");
}
throw new SAMLException(
}
+ "destid): artifact timed out.");
}
throw new SAMLException(
}
+ "stid): no Entry found corresponding to artifact.");
}
throw new SAMLException(
}
if (destCheckFlag) {
// check the destination id
"art, destid): no destID found corresponding to artifact.");
}
throw new SAMLException(
}
", destid): destinationID doesn't match.");
}
throw new SAMLException(
}
}
+ "stid): no Assertion found corresponding to aID.");
}
throw new SAMLException(
}
// remove the asssertion from artEntryMap
synchronized (artEntryMap) {
}
"assertionArtifactVerified"), artString};
if (SAMLServiceManager.getRemoveAssertion()) {
synchronized(idEntryMap) {
}
}
// check the time of the assertion
if (!assertion.isTimeValid()) {
+ aIDString + " is expired.");
}
throw new SAMLException(
}
return assertion;
}
/**
* Gets assertion associated with the AssertionArtifact.
* @param artifact An AssertionArtifact.
* @param destID The destination site requesting the assertion using
* the artifact. This String is compared with the destID that
* the artifact is created for originally.
* @return The Assertion referenced to by artifact.
* @throws SAMLException If an error occurred during the process, or no
* assertion maps to the input artifact.
*/
throws SAMLException {
}
throw new SAMLRequesterException(
}
}
/**
* Gets assertion associated with the AssertionArtifact.
* @param artifact An AssertionArtifact.
* @param destID A Set of String that represents the destination site id.
* The destination site requesting the assertion using
* the artifact. Each string in this set compares with the destID
* that the artifact is created for originally. If found match,
* continue the operation. Otherwise, throws error.
* @return The Assertion referenced to by artifact.
* @throws SAMLException If an error occurred during the process, or no
* assertion maps to the input artifact.
*/
throws SAMLException {
}
throw new SAMLRequesterException(
}
}
/**
* Gets assertion associated with the AssertionArtifact.
* @param artifact An AssertionArtifact.
* @return The Assertion referenced to by artifact.
* @throws SAMLException If an error occurred during the process, or no
* assertion maps to the input artifact.
*/
throws SAMLException {
}
throw new SAMLRequesterException(
}
}
/**
* Gets assertion created from the query.
* @param query An Assertion Query.
* @param destID to whom the assertion will be created for.
* @return The Assertion that is created from the query.
* @throws SAMLException If the Assertion cannot be created due to an
* error in the query or in the receiver.
*/
throws SAMLException {
+ " query is null.");
}
throw new SAMLRequesterException(
}
destID);
} else {
+ "type of query is not supported:" + queryType);
}
throw new SAMLRequesterException(
}
return result;
}
/**
* Gets assertion created from an AttributeQuery.
* @param query An AttributeQuery.
* @param destID to whom the assertion will be created for. Currently,
* it is the <code>sourceID</code> of the site that sends the query.
* @return The Assertion that is created from the query.
* @throws SAMLException If the Assertion cannot be created.
*/
throws SAMLException
{
// no need to log the error again
return null;
}
+ ": missing destID.");
}
throw new SAMLException(
}
+ ": empty partner URL list.");
}
throw new SAMLException(
}
{
+ ": couldn't obtain AttributeMapper.");
}
throw new SAMLException(
}
try {
if (sessionProvider == null) {
"nullSessionProvider"));
}
} catch (Exception e) {
+ "Assertion: invalid SSO token:", e);
}
throw new SAMLException(
}
} else { // token is null
+ "Assertion: couldn't find SSOAssertion in query.");
}
throw new SAMLException(
}
if (!assertion.isSignatureValid()) {
+ "Assertion: SSOAssertion is signature invalid.");
}
throw new SAMLException(
}
if (!assertion.isTimeValid()) {
+ "Assertion: SSOAssertion is time invalid.");
}
throw new SAMLException(
}
if (statement.getStatementType() ==
{
getSubject();
break;
}
}
if (ssoSubject == null) {
+ "Assertion: missing AuthenticationStatement in "
+ "SSOAssertion.");
}
throw new SAMLException(
}
{
// this server is the issuer
+ "this server is the issuer.");
}
}
}
{
}
} else {
{
}
}
} else { // this machine is not the issuer
+ "this server is not the issuer.");
}
}
}
// get here then got a valid token
return null;
}
{
}
// don't save the token and don't add listener
// add newEntry to idEntryMap
try {
synchronized (idEntryMap) {
}
}
}
} catch (Exception e) {
+ " couldn't add assertion to the idEntryMap.", e);
}
}
newAssertion.toString(true, true)};
} else {
}
return newAssertion;
}
/**
* Gets assertion created from an AuthenticationQuery.
* @param query An AuthenticationQuery.
* @param destID to whom the assertion will be created for.
* @return The Assertion that is created from the query.
* @throws SAMLException If the Assertion cannot be created.
*/
{
// no need to log the error again
return null;
}
// get the subject of the query
// get SubjectConfirmation
+ " missing SubjectConfirmation.");
}
// since we couldn't find the SSOToken in SubjectConfirmationData
// we don't know if the subject is authenticated to OpenAM.
throw new SAMLException(
}
// check ConfirmationMethod
// don't need to log again
throw new SAMLException(
}
// get SubjectConfirmationData
+ " missing SubjectConfirmationData in the Subject.");
}
throw new SAMLException(
}
// SSOTokenID == scData
try {
if (sessionProvider == null) {
"nullSessionProvider"));
}
// get authenticationInstant
// get the nameQualifier of the NameIdentifier
// get the name of the NameIdentifier
try {
} catch (Exception e) {
// catching exception here since clientIP is optional
"getAuthNAssertion: exception when getting " +
"client ip.");
}
}
} catch (Exception e) {
+ " exception retrieving info from the SSOToken:", e);
}
throw new SAMLException(
}
// get and check NameIdentifier
((niNameQualifier != null) &&
{
+ ": NameIdentifier is different from info in "
+ "SubjectConfirmation");
}
throw new SAMLException(
}
}
// get and check AuthenticationMethod in the query
// check it against authMethod
{
+ " couldn't form an assertion matching the "
+ "AuthenticationMethod in the query.");
}
"authenticationMethodInQueryNotMatch"));
}
}
subjLocality, null);
// get this period from the config
{
}
// add entry to idEntryMap
try {
synchronized (idEntryMap) {
}
}
}
} catch (Exception e) {
+ " couldn't add assertion to the idEntryMap.", e);
}
throw new SAMLResponderException(
}
} else {
}
// create a listener and add the listener to the token
try {
} catch (SessionException e) {
+ " Couldn't add listener to token:", e);
// don't need to throw an exception
}
return assertion;
}
/**
* Gets assertion created from an AuthorizationDecisionQuery.
* @param query An AuthorizationDecisionQuery.
* @param destID to whom the assertion will be created for.
* @return The Assertion that is created from the query.
* @throws SAMLException If the Assertion cannot be created.
*/
throws SAMLException
{
}
/**
* Gets assertion created from an AuthorizationDecisionQuery.
* @param query An AuthorizationDecisionQuery.
* @param destID to whom the assertion will be created for.
* @param store if true, the assertion is stored internally.
* @return The Assertion that is created from the query.
* @throws SAMLException If the Assertion cannot be created.
*/
throws SAMLException
{
// no need to log the error again
return null;
}
+ "missing destID.");
}
throw new SAMLException(
}
+ "empty partnerURL list.");
}
throw new SAMLException(
}
{
+ "couldn't obtain ActionMapper.");
}
throw new SAMLException(
}
boolean existingToken = true;
// if there is a token, then the token must be valid
try {
if (sessionProvider == null) {
"nullSessionProvider"));
}
} catch (Exception e) {
+ ": invalid SSO token:", e);
}
throw new SAMLException(
}
} else {
// if there is an assertion, then it must be valid
existingToken = false;
}
}
}
+ "Couldn't obtain ssotoken.");
}
throw new SAMLException(
}
// no need to invalidate the newly created ssotoken since the token
// will be invalidated/destroyed when the short maxSessionTime and
// maxIdleTime are reached.
}
throws SAMLException
{
+ "GetSSOToken: null input.");
}
throw new SAMLException(
}
if (!assertion.isSignatureValid()) {
+ "GetSSOToken: SSOAssertion is signature invalid.");
}
throw new SAMLException(
}
if (!assertion.isTimeValid()) {
+ "GetSSOToken: SSOAssertion is time invalid.");
}
throw new SAMLException(
}
// TODO: check AudienceRestrictionConditions if any
{
// this server is the issuer
+ "this server is the issuer.");
}
}
}
return tokenMap;
}
} else {
}
}
+ "GetSSOToken: either not an AuthN assertion or token "
+ "is not for this subject.");
}
getString("cannotVerifySubject"));
} else {
+ "this server is not the issuer.");
}
if (statement.getStatementType() ==
{
break;
}
}
if (ssoStatement == null) {
+ "AndGetSSOToken: missing AuthenticationStatement in "
+ "SSOAssertion.");
}
throw new SAMLException(
}
}
return tokenMap;
}
throws SAMLException
{
try {
if (sessionProvider == null) {
"nullSessionProvider"));
}
} catch (Exception e) {
+ "Session is not valid.", e);
}
throw new SAMLException(
}
return;
}
{
+ "AndNI: NameIdentifier is different from info in "
+ "token.");
}
getString("wrongNameIdentifier"));
}
}
throws SAMLException
{
// check if issuer is on our list.
if (sourceSite == null) {
+ "CreateSSOToken: issuer is not on the partnerURL list.");
}
getString("cannotVerifySubject"));
}
// TODO: check AudienceRestrictionCondition if any
// check the subject
{
+ "Token: wrong subject in evidence.");
}
getString("cannotVerifySubject"));
}
}
}
throws SAMLException
{
}
"createTempSSOToken: couldn't map the subject " +
"to a local user.");
}
throw new SAMLRequesterException(
} else {
name);
}
}
try {
} else {
}
} catch (Exception e) {
"createTempSSOToken: Couldn't retrieve " +
"the ssotoken.", e);
}
throw new SAMLResponderException(
}
return token;
}
/**
* @param addListener A listener to the single sign on token is added only
* when both store and addListener are true.
*/
throws SAMLException
{
+ "actionMap from ActionMapper is null.");
}
throw new SAMLException(
}
int decision;
!= null)
{
} else {
if (newActions == null) {
// try not to be too restrictive
}
decision =
}
//create statement
{
}
if (store) {
if (addListener) {
// create a listener and add the listener to the token
try {
if (sessionProvider == null) {
getString("nullSessionProvider"));
}
} catch (SessionException e) {
+ " Couldn't get listener to token:", e);
// don't need to throw an exception
}
}
// put assertion in idEntryMap
try {
synchronized (idEntryMap) {
}
}
}
} catch (Exception e) {
+ ": couldn't add assertion to the idAssertionMap.", e);
}
throw new SAMLResponderException(
}
} else {
}
}
return assertion;
}
/**
* Gets the Assertion referenced by an <code>AssertionIDReference</code>.
* @param idRef The <code>AssertionIDReference</code> which references to an
* Assertion.
* @return the Assertion referenced by the <code>AsertionIDReference</code>.
* @throws SAMLException If an error occurred during the process; or
* the assertion could not be found.
*/
throws SAMLException
{
}
/**
* Gets the Assertion referenced by an <code>AssertionIDReference</code>.
* This method is usually used after the call
* <code>AssertionManager.getAssertions(SSOToken)</code>.
* The assertion is retrieved from this <code>AssertionManager</code> only.
* @param idRef The <code>AssertionIDReference</code> which references to an
* Assertion.
* @param token Use's session object that is allowed to obtain the
* assertion. This token must have top level administrator role.
* @return the Assertion referenced by the <code>AsertionIDReference</code>.
* @throws SAMLException If an error occurred during the process; the token
* does not have the privilege; or the assertion could not be
* found.
* @supported.api
*/
throws SAMLException {
+ "): input token is null.");
}
if (!isSuperUser(token)) {
+ "): Session doesn't have the privilege.");
}
}
/**
* Gets the Assertion referenced by an <code>AssertionIDReference</code>.
* @param idRef The <code>AssertionIDReference</code> which references to an
* Assertion.
* @param destID The destination site id requesting the assertion using
* the assertion id reference. This String is compared with the
* <code>destID</code> that the assertion is created for originally.
* This field is not used (could be null) if the assertion was
* created without a <code>destID</code> originally. This String can
* be obtained from converting the 20 byte site id sequence to char
* array, then a new String from the char array.
* @return the Assertion referenced by the <code>AsertionIDReference</code>.
* @throws SAMLException If an error occurred during the process; or
* the assertion could not be found.
* @supported.api
*/
throws SAMLException {
} else {
}
}
/**
* Gets the Assertion referenced by an <code>AssertionIDReference</code>.
* @param idRef The <code>AssertionIDReference</code> which references to an
* Assertion.
* @param destID A Set of destination site id. The destination site id
* requesting the assertion using the assertion id reference.
* This String is compared with the <code>destID</code> that the
* assertion is created for originally. This field is not used
* (could be null) if the assertion was created without a
* <code>destID</code> originally. This String can be obtained from
* converting the 20 byte site id sequence to char array, then a new
* String from the char array.
* @return the Assertion referenced by the <code>AsertionIDReference</code>.
* @throws SAMLException If an error occurred during the process; or
* the assertion could not be found.
* @supported.api
*/
throws SAMLException {
}
/**
* Gets the Assertion referenced by an <code>AssertionIDReference</code>.
* @param id The <code>AssertionIDReference</code> which references to an
* Assertion.
* @param destID A Set of String that represents the destination id.
* The destination site id requesting the assertion using
* the assertion id reference. This String is compared with the
* <code>destID</code> that the assertion is created for originally.
* This field is not used (could be null) if the assertion was
* created without a <code>destID</code> originally. This String can
* be obtained from converting the 20 byte site id sequence to char
* array, then a new String from the char array.
* @param useToken A boolean value. If set to true, destID is not
* checked against with the string that the assertion is created
* for originallyr, the assertion is retrieved from this server
* only.
* @return the Assertion referenced by the <code>AsertionIDReference</code>.
* @throws SAMLException If an error occurred during the process; or
* the assertion could not be found.
*/
boolean useToken)
throws SAMLException {
destID);
}
+ "tionIDRef): null AssertionID.");
}
throw new SAMLRequesterException(
}
if (!useToken) {
// get server id.
// call AssertionManagerClient.getAssertion
"getAssertion(idRef): calling another server" +
" in lb site:" + remoteUrl);
}
} //else
}
}
}
+ "tionIDRef): no matching assertion found in idEntryMap.");
}
throw new SAMLException(
} else {
}
}
+ "AssertionIDRef): no matching assertion found.");
}
throw new SAMLException(
}
if (!useToken) {
// check if the destID is correct
+ "AssertionID): destID doesn't match.");
}
throw new SAMLException(
}
}
}
// check the time of the assertion
if (!assertion.isTimeValid()) {
+ aIDString + " is expired.");
}
throw new SAMLException("assertionTimeNotValid");
}
return assertion;
}
/**
* Creates an AssertionArtifact.
* @param id The String that contains authentication information which
* is needed to create the assertion. It could be a string
* representation of an id, a cookie, etc.
* @param destID The destination site that the artifact is created for.
* @return The AssertionArtifact.
* @throws SAMLException If the AssertionArtifact cannot be created.
*/
}
/**
* Creates an AssertionArtifact.
* @param id The String that contains authentication information which
* is needed to create the assertion. It could be a string
* representation of an id, a cookie, etc.
* @param destID The destination site that the artifact is created for.
* @param targetUrl A URL String representing the target site
* @param version The relying party preferred Assertion version number.
* @return The AssertionArtifact.
* @throws SAMLException If the AssertionArtifact cannot be created.
*/
throws SAMLException {
}
/**
* Creates an AssertionArtifact.
* @param id The String that contains authentication information which
* is needed to create the assertion. It could be a string
* representation of an id, a cookie, etc.
* @param destID The destination site that the artifact is created for.
* @param request The HttpServletRerquest object of the request.
* @param response The HttpServletResponse object.
* @param targetUrl A URL String representing the target site
* @param version The relying party preferred Assertion version number.
* @return The AssertionArtifact.
* @throws SAMLException If the AssertionArtifact cannot be created.
*/
// check input
+ " method createAssertionArtifact.");
}
throw new SAMLRequesterException(
}
"(String, String): destID not in partner list.");
throw new SAMLException(
}
// create assertion id and artifact
+ "ifact: couldn't generate assertion handle.");
}
throw new SAMLResponderException(
}
try {
}
}
} catch (NumberFormatException ne) {
}
return art;
}
/**
* This method returns the decision of an AuthorizationQuery.
* @param authZQuery An AuthorizationQuery that contains the question:
* Is this subject authorized to perfrom this action on
* this resource?
* @param destID the SourceID of the site where the query is from.
* @return an int whose value is defined in
* AuthorizationDecisionStatement.DecisionType.
*/
if (authZQuery == null) {
}
try {
false);
} catch (SAMLException e) {
+ " when trying to get an assertion from authZQuery. ", e);
}
// double check, shouldn't be here
}
// Got an assertion
if (statement.getStatementType() ==
{
// we know there should be only one authZstatement
return ((AuthorizationDecisionStatement) statement).
getDecision();
}
}
// still here means no authZstatement
+ "authZstatement in assertion.");
} else {
+ " assertion.");
}
}
throws SAMLResponderException
{
+ "Artifact(assertion,String): reached maxNumber of "
+ "assertions.");
throw new SAMLResponderException(
} else {
return false;
}
}
private long runPeriod;
}
synchronized (keys) {
}
}
synchronized (keys) {
}
}
public boolean isEmpty() {
return false;
}
public long getRunPeriod() {
return runPeriod;
}
public void run() {
synchronized (keys) {
+"CleanUpThread::number of assertions in "
}
if (!assertion.isTimeValid()) {
}
} else {
// if conditions are absent, calculate time
// validity of assertion as if notBefore is
// issueInstant - notBeforeSkew and notOnOrAfter
// is assertion time out + issueInstant
- notBeforeSkew);
}
}
}
}
}
}
}
}
}