a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: AssertionManager.java,v 1.13 2010/01/09 19:41:06 qcheng Exp $
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyrighted 2013-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.GeneralTaskRunnable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.PeriodicGroupRunnable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.ScheduleableGroupAction;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonAgent;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonSAML1Svc;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.MonitorManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The class <code>AssertionManager</code> is a <code>final</code> class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that provides interfaces to create, get and destroy <code>Assertion</code>s.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * It is a singleton class; an instance of this class can be obtained by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * calling <code>AssertionManager.getInstance()</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Having obtained an instance of <code>AssertionManager</code>, its methods
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * can be called to create/get <code>Assertion</code>, and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionArtifact</code>, and to obtain decision from an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>Query</code>.
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * This class could only be used in the same JVM as OpenAM.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // General stats class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Assertion Statistics Class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Artifact Statistics Class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.authentication.super.user";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SessionProvider sessionProvider = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assStats = Stats.getInstance("amAssertionMap");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster superUser = SystemConfigurationUtil.getProperty(SUPER_USER);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("Static: Couldn't get SessionProvider.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster cleanUpInterval = ((Integer) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CLEANUP_INTERVAL_NAME)).intValue() * 1000;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactTimeout = ((Integer) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.ARTIFACT_TIMEOUT_NAME)).intValue() * 1000;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeout = ((Integer) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.ASSERTION_TIMEOUT_NAME)).intValue() * 1000;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster notBeforeSkew = ((Integer) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.NOTBEFORE_TIMESKEW_NAME)).intValue() * 1000;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Singleton instance of AssertionManager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static AssertionManager instance = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // used to store artifact to assertionID mapping
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // used to store assertionIDString to entry mapping
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static TaskRunnable assertionTimeoutRunnable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static TaskRunnable artifactTimeoutRunnable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Entry(Assertion assertion, String destID, String artString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setArtifactString(String newArtifactString) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Default Constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionVersion = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protocolVersion = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionVersion = SAMLConstants.ASSERTION_VERSION_1_0;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protocolVersion = SAMLConstants.PROTOCOL_VERSION_1_0;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster TimerPool timerPool = SystemTimerPool.getTimerPool();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ScheduleableGroupAction assertionTimeoutAction = new
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable = new PeriodicGroupRunnable(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutAction, cleanUpInterval, assertionTimeout, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster timerPool.schedule(assertionTimeoutRunnable, new Date(((
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster System.currentTimeMillis() + cleanUpInterval) / 1000) * 1000));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ScheduleableGroupAction artifactTimeoutAction = new
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactTimeoutRunnable = new PeriodicGroupRunnable(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactTimeoutAction, cleanUpInterval, artifactTimeout, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster timerPool.schedule(artifactTimeoutRunnable, new Date(((
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster System.currentTimeMillis() + cleanUpInterval) / 1000) * 1000));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster goThroughRunnable = new GoThroughRunnable(cleanUpInterval);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster timerPool.schedule(goThroughRunnable, new Date(((
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster System.currentTimeMillis() + cleanUpInterval) / 1000) * 1000));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactStats = new ArtifactStats(artEntryMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionStats = new AssertionStats(idEntryMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the singleton instance of <code>AssertionManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The singleton <code>AssertionManager</code> instance
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException if unable to get the singleton
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static AssertionManager getInstance() throws SAMLException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // not throwing any exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (AssertionManager.class) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("Constructing a new instance"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " of AssertionManager");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method creates an Assertion that contains an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token user's session object that contains authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * information which is needed to create the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion The created Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertionVersion.equals(SAMLConstants.ASSERTION_VERSION_1_0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT, 0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_ARTIFACT, 1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionVersionNotSupport"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method creates an Assertion that contains an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code> and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * an <code>AttributeStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token User' session object that contains authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * information which is needed to create the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code> for the Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attributes A list of Attribute objects which are used to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * create the <code>AttributeStatement</code> for the Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion The created Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion createAssertion(Object token, List attributes)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { if (assertionVersion.equals(SAMLConstants.ASSERTION_VERSION_1_0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT, 0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_ARTIFACT, 1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionVersionNotSupport"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion createAssertion(Object token, List attributes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion(id):"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "input Session is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String id = sessionProvider.getSessionID(token);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertion(id, null, null, attributes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method creates an <code>AssertionArtifact</code> for the given
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion The Assertion for which an Artifact needs to be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID The <code>sourceID</code> of the site for which the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionArtifact</code> is created. It is in raw String
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * format (not Base64 encoded, for example.) This String can be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * obtained from converting the 20 bytes sequence to char Array, then
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from the char Array to String.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>AssertionArtifact</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the <code>AssertionArtifact</code> cannot be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AssertionArtifact createAssertionArtifact(Assertion assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertion == null) || (destID == null) || (destID.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertionArti"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "fact(Assertion, String): null input.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map partner = (Map) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((partner == null) || (!partner.containsKey(destID))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertionArtifact:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "(Assertion, String): destID not in partner list.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String handle = SAMLUtils.generateAssertionHandle();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Artifact(Assertion,String): couldn't generate "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "assertion handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sourceID = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact art = new AssertionArtifact(sourceID, handle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((entry == null) && !validateNumberOfAssertions(idEntryMap)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster entry = new Entry(assertion, destID, artString, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Artifact(Assertion,String): couldn't add to "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "idEntryMap." + e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String preArtString = entry.getArtifactString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Artifact(Asssertion, String): Artifact exists for "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "the assertion.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // add to artEntry map
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (artEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactTimeoutRunnable.removeElement(artString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ARTIFACTS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertionArt"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "fact(Assertion,String): couldn't add artifact to the "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "artEntryMap", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {SAMLUtils.bundle.getString("assertionArtifactCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method gets all valid Assertions managed by this
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token User's session object which is allowed to get all
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return A Set of valid Assertion IDs. Each element in the Set is a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * String representing an Assertion ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If this method can not gets all valid Assertions.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssertions(Object"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "): input session is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssertions(Object"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "): Session doesn't have the privilege.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("noPrivilege"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("SessionProvider is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userID = (String) sessionProvider.getProperty(token,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (superUser != null && superUser.length() > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionManager.isSuperUser:Exception: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method gets the Assertion based on the Assertion ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The Assertion ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return An Assertion identified by the Assertion ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If this method can not get the Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssetion(String): "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "id is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDReference idRef = new AssertionIDReference(id);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method gets all valid <code>AssertionArtifacts</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * managed by this <code>AssertionManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token User's session object which is allowed to get all
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionArtifacts</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return A Set of valid <code>AssertionArtifacts</code>. Each element in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Set is an <code>AssertionArtifacts</code> object representing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * an artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If this method can not gets all valid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionArtifacts</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssertionArtifacts(" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Object token): input token is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssertionArtifacts(" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Object token): Session doesn't have the privilege.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("noPrivilege"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns Assertion that contains <code>AuthenticationStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The String that contains authentication information which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is needed to create the assertion. It could be a string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * representation of an id, a cookie, etc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact the value to be set in the SubjectConfirmation of the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code>. If it's null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SubjectConfirmation</code> is set to bearer.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID A String that is the site the assertion is created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param targetUrl A URL String representing the target site
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param version The relying party preferred Assertion version number.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion The created Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion createSSOAssertion(String id, AssertionArtifact artifact,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String destID, String targetUrl, String version)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createSSOAssertion(id, artifact, null, null, destID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns Assertion that contains <code>AuthenticationStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The String that contains authentication information which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is needed to create the assertion. It could be a string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * representation of an id, a cookie, etc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact the value to be set in the SubjectConfirmation of the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code>. If it's null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SubjectConfirmation</code> is set to bearer.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request The HttpServletRerquest object of the request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response The HttpServletResponse object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID A String that is the site the assertion is created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param targetUrl A URL String representing the target site
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param version The relying party preferred Assertion version number.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion The created Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion createSSOAssertion(String id, AssertionArtifact artifact,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String destID, String targetUrl, String version)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map partnerURLs = (Map) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAMLServiceManager.SOAPEntry)partnerURLs.get(destID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object userSession = sessionProvider.getSession(id);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributes = cMapper.getAttributes(userSession,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributes = mapper.getAttributes(userSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion(id):"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " exception retrieving info from the Session", ssoe);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // SAML post profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (version.equals(SAMLConstants.ASSERTION_VERSION_1_1)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set minor version to 1
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertion(id, artifact, destID, attributes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_BEARER, 1, nameIDFormat);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set minor version to 0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertion(id, artifact, destID, attributes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_BEARER, 0, nameIDFormat);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertion(id, artifact, destID, attributes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT, 0,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (version.equals(SAMLConstants.ASSERTION_VERSION_1_1)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertion(id, artifact, destID, attributes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("Input version " + version +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " is not supported.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion createAssertion(String id, AssertionArtifact artifact,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String destID, List attributes, String confirmationMethod,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int minorVersion, String nameIDFormat) throws SAMLException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check input
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.createAssertion(id):"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "null input.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authMethod = (String) sessionProvider.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getProperty(token,"authInstant")[0];
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (authSSOInstant == null || authSSOInstant.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authInstant = DateUtils.stringToDate(authSSOInstant);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster InetAddress.getByName(sessionProvider.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // catching exception here since client ip is optional
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createAssertion(id):" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "exception when obtaining client ip: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createAssertion(id):" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " exception retrieving info from the Session: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (Map) SAMLServiceManager.getAttribute(SAMLConstants.PARTNER_URLS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAMLServiceManager.SOAPEntry)partnerURLs.get(destID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster niMapper = partnerEntry.getNameIdentifierMapper();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (String)SAMLServiceManager.getAttribute(SAMLConstants.SITE_ID);
0c9f0c5f2c3eb18b0b4736e234e0091b9f90db21Peter Major NameIdentifier ni = niMapper.getNameIdentifier(token, srcID, destID, nameIDFormat);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion(id): " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "name identifier is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((confirmationMethod != null) && (confirmationMethod.length() > 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subConfirmation = new SubjectConfirmation(confirmationMethod);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set default for SAML Artifact profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // here, we use SAML 1.0 confirmation method as default.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subConfirmation = new SubjectConfirmation(confirmationMethod);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set to bearer for POST profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject sub = new Subject(ni, subConfirmation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((clientIP != null) && (clientIP.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subjLocality = new SubjectLocality(clientIP, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster statements.add(new AuthenticationStatement(authMethod, authInstant,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attributes != null) && (!attributes.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster statements.add(new AttributeStatement(sub, attributes));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO: this period will be different for bearer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions cond = new Conditions(notBefore, notAfter);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String issuer = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = new Assertion(null, issuer, issueInstant, cond,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO:set AuthorityBinding if any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((Boolean) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Entry entry = new Entry(assertion, destID, artString, token);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.removeElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.addElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: couldn't add "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "to idEntryMap.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // put artifact in artEntryMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (artEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (System.currentTimeMillis() + artifactTimeout)));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactTimeoutRunnable.removeElement(artString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: couldn't add "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "artifact to the artEntryMap.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionArtifactCreated"), artString, aIDString};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create a listener and add the listener to the token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionSSOTokenListener listener = new AssertionSSOTokenListener(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion(id):"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Couldn't add listener to session:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.warning("AssertionManager.createAssertion(id):"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Operation add listener to session not supported:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Deletes an assertion from the server. This method is used by the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AssertionSSOTokenListener and cleanup method in the package.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionID the id of the Assertion to be deleted.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact the artifact associated with this assertionID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When it's null, no artifact is associated with this assertionID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster void deleteAssertion(String assertionID, String artifact) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // this is the case when Session expired, and the assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // was created for artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artEntry = (ArtEntry) artEntryMap.remove(artifact);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster entry = (Entry) idEntryMap.remove(assertionID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {SAMLUtils.bundle.getString("assertionRemoved"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // this is the case when assertion expired, check to see
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // if the assertion is associated with an artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (artEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((artEntry != null) && SAMLServiceManager.getRemoveAssertion()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion associated with the AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact An AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID A Set of String that represents the destination site id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The destination site requesting the assertion using
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the artifact. This String is compared with the destID that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the artifact is created for originally.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destCheckFlag true if desire to match the destionation id,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * otherwise it is false. If it is false, destID can
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be any string, including null.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion referenced to by artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process, or no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * assertion maps to the input artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion getAssertion(AssertionArtifact artifact, Set destID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("getAssertion(arti): destID set= " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check the destination id; also if this artifact exists
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String artString = artifact.getAssertionArtifact();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get server id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // call AssertionManagerClient.getAssertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art, " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "destid: calling another server in lb site:" + remoteUrl);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionManagerClient amc = new AssertionManagerClient(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the assertion ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ArtEntry artEntry = (ArtEntry) artEntryMap.get(artString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ARTIFACTS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ARTIFACTS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art, de"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "stid): no Assertion found corresponding to artifact.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noMatchingAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ARTIFACTS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aIDString = (String) artEntry.getAssertionID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art, de"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "stid): no AssertionID found corresponding to artifact.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noMatchingAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "destid): artifact timed out.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("artifactTimedOut"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art, de"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "stid): no Entry found corresponding to artifact.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noMatchingAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check the destination id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "art, destid): no destID found corresponding to artifact.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noDestIDMatchingArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (destID == null || !destID.contains(dest)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art"+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ", destid): destinationID doesn't match.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(art, de"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "stid): no Assertion found corresponding to aID.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noMatchingAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // remove the asssertion from artEntryMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (artEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactTimeoutRunnable.removeElement(artString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized(idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.removeElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check the time of the assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: assertion "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("assertionTimeNotValid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion associated with the AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact An AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID The destination site requesting the assertion using
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the artifact. This String is compared with the destID that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the artifact is created for originally.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion referenced to by artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process, or no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * assertion maps to the input artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(AssertionArtifact artifact, String destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((artifact == null) || destID == null || destID.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: input is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion associated with the AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact An AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID A Set of String that represents the destination site id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The destination site requesting the assertion using
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the artifact. Each string in this set compares with the destID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that the artifact is created for originally. If found match,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * continue the operation. Otherwise, throws error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion referenced to by artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process, or no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * assertion maps to the input artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(AssertionArtifact artifact, Set destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((artifact == null) || destID == null || destID.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: input is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion associated with the AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param artifact An AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion referenced to by artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process, or no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * assertion maps to the input artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected Assertion getAssertion(AssertionArtifact artifact)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: input is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion created from the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param query An Assertion Query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID to whom the assertion will be created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion that is created from the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created due to an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * error in the query or in the receiver.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(Query query, String destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion: input"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " query is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster result = getAuthenticationAssertion((AuthenticationQuery)query,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (queryType == Query.AUTHORIZATION_DECISION_QUERY) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (queryType == Query.ATTRIBUTE_QUERY) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster result = getAttributeAssertion((AttributeQuery)query, destID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion: this "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "type of query is not supported:" + queryType);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("queryNotSupported"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion created from an AttributeQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param query An AttributeQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID to whom the assertion will be created for. Currently,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * it is the <code>sourceID</code> of the site that sends the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion that is created from the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion getAttributeAssertion(AttributeQuery query, String destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // no need to log the error again
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((destID == null) || (destID.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttributeAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ": missing destID.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map entries = (Map) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttributeAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ": empty partner URL list.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("emptyPartnerURLList"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLServiceManager.SOAPEntry destSite = (SAMLServiceManager.SOAPEntry)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((attrMapper = destSite.getAttributeMapper()) == null))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttributeAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ": couldn't obtain AttributeMapper.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorObtainAttributeMapper"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = attrMapper.getSSOTokenID(query);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String issuerName = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttribute"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion: invalid SSO token:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // token is null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = attrMapper.getSSOAssertion(query);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttribute"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion: couldn't find SSOAssertion in query.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttribute"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion: SSOAssertion is signature invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("assertionSignatureNotValid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttribute"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion: SSOAssertion is time invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("assertionTimeNotValid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = assertion.getStatement().iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoSubject = ((AuthenticationStatement) statement).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttribute"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion: missing AuthenticationStatement in "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "SSOAssertion.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noAuthNStatement"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((issuerName != null) && (issuerName.equals(issuer)) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // this server is the issuer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttrAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this server is the issuer.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // this machine is not the issuer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttrAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this server is not the issuer.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster token = checkAssertionAndCreateSSOToken(assertion, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get here then got a valid token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attributes = attrMapper.getAttributes(query, destID, token);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attributes == null) || (attributes.size() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster stmtSet.add(new AttributeStatement(subject, attributes));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions cond = new Conditions(notBefore, notAfter);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion newAssertion = new Assertion(null, issuerName, issueInstant,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((Boolean) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String aIDString = newAssertion.getAssertionID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // don't save the token and don't add listener
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Entry newEntry = new Entry(newAssertion, destID, null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // add newEntry to idEntryMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster oldEntry = idEntryMap.put(aIDString, newEntry);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.removeElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.addElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAttributeAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " couldn't add assertion to the idEntryMap.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion created from an AuthenticationQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param query An AuthenticationQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID to whom the assertion will be created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion that is created from the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthenticationQuery query, String destID) throws SAMLException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // no need to log the error again
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the subject of the query
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SubjectConfirmation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SubjectConfirmation sc = subject.getSubjectConfirmation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " missing SubjectConfirmation.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // since we couldn't find the SSOToken in SubjectConfirmationData
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee // we don't know if the subject is authenticated to OpenAM.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("missingSubjectConfirmation"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check ConfirmationMethod
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!SAMLUtils.isCorrectConfirmationMethod(sc)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // don't need to log again
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("wrongConfirmationMethodValue"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SubjectConfirmationData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element scData = sc.getSubjectConfirmationData();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " missing SubjectConfirmationData in the Subject.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("missingSubjectConfirmationData"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // SSOTokenID == scData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authMethod = SAMLServiceManager.getAuthMethodURI(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getProperty(token, "AuthType")[0]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get authenticationInstant
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getProperty(token, "authInstant")[0]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the nameQualifier of the NameIdentifier
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameQualifier = XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getProperty(token, "Organization")[0]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the name of the NameIdentifier
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster InetAddress.getByName(sessionProvider.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // catching exception here since clientIP is optional
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getAuthNAssertion: exception when getting " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "client ip.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " exception retrieving info from the SSOToken:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("wrongSubjectConfirmationData"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get and check NameIdentifier
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier ni = subject.getNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String niNameQualifier = ni.getNameQualifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((niName != null) && (!niName.equalsIgnoreCase(name))) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (!niNameQualifier.equalsIgnoreCase(nameQualifier))))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthNAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ": NameIdentifier is different from info in "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "SubjectConfirmation");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("wrongNameIdentifier"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get and check AuthenticationMethod in the query
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check it against authMethod
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " couldn't form an assertion matching the "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthenticationMethod in the query.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "authenticationMethodInQueryNotMatch"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((clientIP != null) && (clientIP.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subjLocality = new SubjectLocality(clientIP, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new AuthenticationStatement(authMethod, authInstant, subject,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get this period from the config
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions cond = new Conditions(notBefore, notAfter);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String issuer = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = new Assertion(null, issuer, issueInstant, cond,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((Boolean) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Entry entry = new Entry(assertion, destID, null, token);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // add entry to idEntryMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.removeElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.addElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " couldn't add assertion to the idEntryMap.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create a listener and add the listener to the token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Couldn't add listener to token:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // don't need to throw an exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion created from an AuthorizationDecisionQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param query An AuthorizationDecisionQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID to whom the assertion will be created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion that is created from the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion getAuthorizationDecisionAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthorizationDecisionQuery query, String destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getAuthorizationDecisionAssertion(query, destID, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion created from an AuthorizationDecisionQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param query An AuthorizationDecisionQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID to whom the assertion will be created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param store if true, the assertion is stored internally.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The Assertion that is created from the query.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the Assertion cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion getAuthorizationDecisionAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthorizationDecisionQuery query, String destID, boolean store)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // no need to log the error again
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((destID == null) || (destID.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "missing destID.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map entries = (Map) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "empty partnerURL list.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("emptyPartnerURLList"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLServiceManager.SOAPEntry destSite = (SAMLServiceManager.SOAPEntry)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((actionMapper = destSite.getActionMapper()) == null))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "couldn't obtain ActionMapper.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorObtainActionMapper"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier queryNI = querySubject.getNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean existingToken = true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = actionMapper.getSSOTokenID(query);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // if there is a token, then the token must be valid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ": invalid SSO token:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = actionMapper.getSSOAssertion(query, destID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // if there is an assertion, then it must be valid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map tokenMap = verifyAssertionAndGetSSOToken(querySubject,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Couldn't obtain ssotoken.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("cannotVerifySubject"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map map = actionMapper.getAuthorizationDecisions(query, token, destID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // no need to invalidate the newly created ssotoken since the token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // will be invalidated/destroyed when the short maxSessionTime and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // maxIdleTime are reached.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getAuthorizationDecisionAssertion(query, destID, true,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Map verifyAssertionAndGetSSOToken(Subject querySubject,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((querySubject == null) || (assertion == null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifyAssertionAnd"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "GetSSOToken: null input.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("cannotVerifySubject"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifyAssertionAnd"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "GetSSOToken: SSOAssertion is signature invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("assertionSignatureNotValid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifyAssertionAnd"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "GetSSOToken: SSOAssertion is time invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("assertionTimeNotValid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO: check AudienceRestrictionConditions if any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String issuerName = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((issuerName != null) && (issuerName.equals(issuer)) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // this server is the issuer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this server is the issuer.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifyAssertionAnd"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "GetSSOToken: either not an AuthN assertion or token "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "is not for this subject.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this server is not the issuer.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = assertion.getStatement().iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoStatement = (AuthenticationStatement) statement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifyAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AndGetSSOToken: missing AuthenticationStatement in "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "SSOAssertion.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noAuthNStatement"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster token = checkAssertionAndCreateSSOToken(assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (AuthenticationStatement)statement, querySubject);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private void verifySSOTokenAndNI(Object token, NameIdentifier ni)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSessionProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameQualifier = XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getProperty(token, "Organization")[0]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifySSOTokenAndNI: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Session is not valid.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("cannotVerifySubject"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String niNameQualifier = ni.getNameQualifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((niName != null) && (!niName.equalsIgnoreCase(name))) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((niNameQualifier != null) && (!niNameQualifier.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifySSOToken"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AndNI: NameIdentifier is different from info in "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "token.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Object checkAssertionAndCreateSSOToken(Assertion assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthenticationStatement statement, Subject subject)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check if issuer is on our list.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.checkAssertionAnd"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "CreateSSOToken: issuer is not on the partnerURL list.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO: check AudienceRestrictionCondition if any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check the subject
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((subject == null) || (!subject.equals(statement.getSubject())))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.verifyAndGetSSO"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Token: wrong subject in evidence.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createTempSSOToken(assertion, subject, sourceSite);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Object createTempSSOToken(Assertion assertion, Subject subject,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PartnerAccountMapper paMapper = sourceSite.getPartnerAccountMapper();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map map = paMapper.getUser(assertions, srcID, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster name = (String) map.get(PartnerAccountMapper.NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster org = (String) map.get(PartnerAccountMapper.ORG);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createTempSSOToken: couldn't map the subject " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "to a local user.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("cannotMapSubject"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createTempSSOToken: org = " + org + ", name = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster infoMap.put(SessionProvider.PRINCIPAL_NAME, name);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster token = SAMLUtils.generateSession(null, null, infoMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createTempSSOToken: Couldn't retrieve " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "the ssotoken.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param addListener A listener to the single sign on token is added only
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * when both store and addListener are true.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion getAuthorizationDecisionAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthorizationDecisionQuery query, String destID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "actionMap from ActionMapper is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("nullAuthZDecision"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((newActions = (List) actionMap.get(ActionMapper.PERMIT)) != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster decision = AuthorizationDecisionStatement.DecisionType.PERMIT;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if ((newActions = (List) actionMap.get(ActionMapper.DENY))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster decision = AuthorizationDecisionStatement.DecisionType.DENY;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newActions = (List) actionMap.get(ActionMapper.INDETERMINATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // try not to be too restrictive
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //create statement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster query.getSubject(), query.getResource(), decision,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notAfter = new Date(issueInstant.getTime() + assertionTimeout);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notBefore = new Date(issueInstant.getTime() - notBeforeSkew);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions cond = new Conditions(notBefore, notAfter);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String issuer = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = new Assertion(null, issuer, issueInstant, cond,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((Boolean) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create a listener and add the listener to the token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAuthNAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Couldn't get listener to token:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // don't need to throw an exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster entry = new Entry(assertion, destID, null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // put assertion in idEntryMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (idEntryMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.removeElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionTimeoutRunnable.addElement(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAuthZAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ": couldn't add assertion to the idAssertionMap.", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtils.isAccessLoggable(java.util.logging.Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {SAMLUtils.bundle.getString("assertionCreated"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the Assertion referenced by an <code>AssertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idRef The <code>AssertionIDReference</code> which references to an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the Assertion referenced by the <code>AsertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the assertion could not be found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(AssertionIDReference idRef)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the Assertion referenced by an <code>AssertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method is usually used after the call
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionManager.getAssertions(SSOToken)</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The assertion is retrieved from this <code>AssertionManager</code> only.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idRef The <code>AssertionIDReference</code> which references to an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param token Use's session object that is allowed to obtain the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * assertion. This token must have top level administrator role.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the Assertion referenced by the <code>AsertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process; the token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * does not have the privilege; or the assertion could not be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(AssertionIDReference idRef, Object token)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssertion(idRef, token"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "): input token is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.getAssertion(idRef, token"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "): Session doesn't have the privilege.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException(SAMLUtils.bundle.getString("noPrivilege"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the Assertion referenced by an <code>AssertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idRef The <code>AssertionIDReference</code> which references to an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID The destination site id requesting the assertion using
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the assertion id reference. This String is compared with the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>destID</code> that the assertion is created for originally.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This field is not used (could be null) if the assertion was
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * created without a <code>destID</code> originally. This String can
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be obtained from converting the 20 byte site id sequence to char
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * array, then a new String from the char array.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the Assertion referenced by the <code>AsertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the assertion could not be found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(AssertionIDReference idRef, String destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the Assertion referenced by an <code>AssertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idRef The <code>AssertionIDReference</code> which references to an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID A Set of destination site id. The destination site id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * requesting the assertion using the assertion id reference.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This String is compared with the <code>destID</code> that the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * assertion is created for originally. This field is not used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (could be null) if the assertion was created without a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>destID</code> originally. This String can be obtained from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * converting the 20 byte site id sequence to char array, then a new
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * String from the char array.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the Assertion referenced by the <code>AsertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the assertion could not be found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public Assertion getAssertion(AssertionIDReference idRef, Set destID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the Assertion referenced by an <code>AssertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The <code>AssertionIDReference</code> which references to an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID A Set of String that represents the destination id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The destination site id requesting the assertion using
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the assertion id reference. This String is compared with the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>destID</code> that the assertion is created for originally.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This field is not used (could be null) if the assertion was
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * created without a <code>destID</code> originally. This String can
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be obtained from converting the 20 byte site id sequence to char
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * array, then a new String from the char array.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param useToken A boolean value. If set to true, destID is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * checked against with the string that the assertion is created
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * for originallyr, the assertion is retrieved from this server
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the Assertion referenced by the <code>AsertionIDReference</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If an error occurred during the process; or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the assertion could not be found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Assertion getAssertion(AssertionIDReference idRef, Set destID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("getAssertion(idRef): destID set=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(Asser"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "tionIDRef): null AssertionID.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String aIDString = idRef.getAssertionIDReference();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get server id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteUrl = SAMLUtils.getServerURL(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // call AssertionManagerClient.getAssertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getAssertion(idRef): calling another server" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionManagerClient amc = new AssertionManagerClient(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Entry entry = (Entry) idEntryMap.get(aIDString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion(Asser"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "tionIDRef): no matching assertion found in idEntryMap.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noMatchingAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml1Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saml1Svc.incSAML1Cache(FedMonSAML1Svc.ASSERTIONS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion("
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AssertionIDRef): no matching assertion found.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("noMatchingAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check if the destID is correct
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((destID == null) || (!destID.contains(dest))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.getAssertion("
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AssertionID): destID doesn't match.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check the time of the assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: assertion "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLException("assertionTimeNotValid");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates an AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The String that contains authentication information which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is needed to create the assertion. It could be a string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * representation of an id, a cookie, etc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID The destination site that the artifact is created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the AssertionArtifact cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AssertionArtifact createAssertionArtifact(String id,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertionArtifact(id, destID, null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates an AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The String that contains authentication information which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is needed to create the assertion. It could be a string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * representation of an id, a cookie, etc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID The destination site that the artifact is created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param targetUrl A URL String representing the target site
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param version The relying party preferred Assertion version number.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the AssertionArtifact cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AssertionArtifact createAssertionArtifact(String id,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createAssertionArtifact(id, destID, null, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates an AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param id The String that contains authentication information which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is needed to create the assertion. It could be a string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * representation of an id, a cookie, etc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID The destination site that the artifact is created for.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request The HttpServletRerquest object of the request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response The HttpServletResponse object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param targetUrl A URL String representing the target site
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param version The relying party preferred Assertion version number.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return The AssertionArtifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException If the AssertionArtifact cannot be created.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public AssertionArtifact createAssertionArtifact(String id,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response, String targetUrl,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check input
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager: null input for"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " method createAssertionArtifact.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map partner = (Map) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((partner == null) || (!partner.containsKey(destID))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertionArtifact:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "(String, String): destID not in partner list.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create assertion id and artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String handle = SAMLUtils.generateAssertionHandle();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("AssertionManager.createAssertionArt"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ifact: couldn't generate assertion handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sourceID = (String) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact art = new AssertionArtifact(sourceID, handle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = createSSOAssertion(id, art,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, destID, targetUrl, version);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StringTokenizer st = new StringTokenizer(version,".");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method returns the decision of an AuthorizationQuery.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authZQuery An AuthorizationQuery that contains the question:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Is this subject authorized to perfrom this action on
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * this resource?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param destID the SourceID of the site where the query is from.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return an int whose value is defined in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthorizationDecisionStatement.DecisionType.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public int isAllowed(AuthorizationDecisionQuery authZQuery, String destID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.isAllowed: null input.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = getAuthorizationDecisionAssertion(authZQuery, destID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.isAllowed: exception thrown"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " when trying to get an assertion from authZQuery. ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // double check, shouldn't be here
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Got an assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((statements != null) && (!statements.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // we know there should be only one authZstatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ((AuthorizationDecisionStatement) statement).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // still here means no authZstatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.isAllowed: no "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "authZstatement in assertion.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.isAllowed: no statements in"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " assertion.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AuthorizationDecisionStatement.DecisionType.INDETERMINATE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean validateNumberOfAssertions(Map idEntryMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer maxNumber = (Integer) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.error("AssertionManager.createAssertion"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Artifact(assertion,String): reached maxNumber of "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "assertions.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.bundle.getString("errorCreateArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private class GoThroughRunnable extends GeneralTaskRunnable {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (keys) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (keys) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.debug.message("Clean up runnable wakes up..");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (keys) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster +"CleanUpThread::number of assertions in "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // if conditions are absent, calculate time
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // validity of assertion as if notBefore is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // issueInstant - notBeforeSkew and notOnOrAfter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // is assertion time out + issueInstant
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date issueInstant = assertion.getIssueInstant();