SAML2Utils.java revision 94b12520da26b40ef162d1c6ad4232eb5084f9e1
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * The contents of this file are subject to the terms
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * of the Common Development and Distribution License
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * (the License). You may not use this file except in
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * compliance with the License.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * You can obtain a copy of the License at
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * https://opensso.dev.java.net/public/CDDLv1.0.html or
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * See the License for the specific language governing
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * permission and limitations under the License.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * When distributing Covered Code, include this CDDL
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * Header Notice in each file and include the License file
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * If applicable, add the following below the CDDL Header,
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * with the fields enclosed by brackets [] replaced by
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * your own identifying information:
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * "Portions Copyrighted [year] [name of copyright owner]"
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * Portions Copyrighted 2010-2014 ForgeRock AS
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.iplanet.dpro.session.exceptions.StoreException;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.common.HttpURLConnectionManager;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.common.SystemConfigurationUtil;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.cot.CircleOfTrustDescriptor;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.cot.CircleOfTrustManager;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.federation.common.FSUtils;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.plugin.datastore.DataStoreProvider;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.plugin.datastore.DataStoreProviderException;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.plugin.datastore.DataStoreProviderManager;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.plugin.session.SessionException;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.plugin.session.SessionManager;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml.common.SAMLConstants;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml.common.SAMLUtilsCommon;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.assertion.Assertion;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.AssertionFactory;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.Attribute;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.AudienceRestriction;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.AuthnStatement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.Conditions;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.assertion.EncryptedAssertion;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.SubjectConfirmation;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.assertion.SubjectConfirmationData;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.idpdiscovery.IDPDiscoveryConstants;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.metadata.EndpointType;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.meta.SAML2MetaException;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.meta.SAML2MetaManager;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.meta.SAML2MetaUtils;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.protocol.AuthnRequest;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.protocol.ProtocolFactory;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.protocol.RequestAbstract;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.protocol.RequestedAuthnContext;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.saml2.protocol.StatusCode;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.security.cert.CRLValidator;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.shared.configuration.SystemPropertiesManager;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.shared.encode.CookieUtils;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkimport com.sun.identity.shared.whitelist.URLPatternMatcher;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * The <code>SAML2Utils</code> contains utility methods for SAML 2.0
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * implementation.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk // SAML2MetaManager
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static SAML2MetaManager saml2MetaManager = null;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk private static CircleOfTrustManager cotManager = null;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk SystemPropertiesManager.get(Constants.AM_SERVER_PROTOCOL);
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk SystemPropertiesManager.get(Constants.AM_SERVER_HOST);
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk SystemPropertiesManager.get(Constants.AM_SERVER_PORT);
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static String server_uri = SystemPropertiesManager.get(
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static String sessionCookieName = SystemPropertiesManager.get(
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static String localURL = server_protocol + "://" + server_host +
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static final String POST_METHOD = "POST";
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static final String LOCATION = "Location";
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk ( (SAML2ConfigService.getAttribute(SAML2ConfigService.SAML2_BUFFER_LENGTH) == null)
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk getAttribute(SAML2ConfigService.SAML2_BUFFER_LENGTH));
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk // Dir server info for CRL entry
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static boolean checkCertStatus = false;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk private static boolean checkCAStatus = false;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk if ( (server_port == null) || (server_port.isEmpty()) ) {
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk server_port = "18080"; // TODO Should be a Default Constant.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk int_server_port = Integer.parseInt(server_port);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk debug.error("Unable to parse port " + server_port, nfe);
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk int_server_port = 18080; // TODO Should be a Default Constant.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * Setup the LDAP certificate directory service context for
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk * use in verification of signing certificates.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk String checkCertStatusStr = SystemConfigurationUtil.getProperty(
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk SAML2Constants.CHECK_SAML2_CERTIFICATE_STATUS, null);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk Boolean.valueOf(checkCertStatusStr).booleanValue();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk Boolean.valueOf(SystemConfigurationUtil.getProperty(
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk debug.message("SAML2 : CRL check is configured to "
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk debug.message("SAML2 : CRL check for CA is configured to "
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk checkCertStatus = CRLValidator.isCRLCheckEnabled();
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk debug.message("SAML2 : CRL check is configured " +
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk "with old config style.");
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk "SAML2Utils: Unable to create SOAP MessageFactory", se);
public static boolean isSAML2FailOverEnabled() {
boolean failOver = false;
failOver = true;
return failOver;
throws SAML2Exception {
data,
null);
data,
null);
data,
null);
+ statusCode);
data,
null);
throw new SAML2Exception(
boolean needAssertionEncrypted = false;
needAssertionEncrypted = true;
if (!needAssertionSigned) {
if (needAssertionSigned) {
boolean wantPostResponseSigned =
if (wantPostResponseSigned) {
needAssertionSigned = false;
needAssertionSigned = false;
data,
null);
throw new SAML2Exception(
data,
null);
throw new SAML2Exception(
data,
null);
data,
null);
throw new SAML2Exception(
if (needAssertionSigned) {
data,
null);
boolean foundAssertion = false;
foundAssertion = true;
foundAssertion = true;
if (foundAssertion) {
return smap;
throws SAML2Exception {
boolean hasBearer = false;
data,
null);
data,
null);
boolean foundMatch = false;
foundMatch = true;
if (!foundMatch) {
data,
null);
data,
null);
data,
null);
data,
null);
data,
null);
hasBearer = true;
return retMap;
throws SAML2Exception {
data,
null);
data,
null);
boolean found = false;
found = true;
if (!found) {
data,
null);
throws SAML2Exception {
data,
null);
return smap;
return null;
return result;
} catch (SAML2Exception e) {
return returnAssertions;
boolean isPersistent = false;
return isPersistent;
isPersistent = true;
return isPersistent;
boolean exists = false;
return exists;
exists = true;
} catch (Exception e) {
return exists;
throws SAML2Exception {
remoteEntityID)) {
return keyMap;
public static boolean isSourceSiteValid(
boolean isValid = false;
return isValid;
} catch (Exception e) {
throws SAML2Exception {
return encoded;
uee);
return null;
byte[] output = new byte[n];
return encoded;
return null;
return null;
return null;
return null;
char c = chars[i];
retString = s;
return retString;
return saml2MetaManager;
* return the default realm from AMConfig.properties
return attrVal;
return paramsMap;
return ctxList;
* @param entityID Entity ID for example <code>http://host.sun.com:81</code>
return null;
} catch (NoSuchAlgorithmException e) {
return null;
return null;
return serverID;
return null;
debug.warning("SAML2Utils.getRemoteServiceURL: the given id refers to a site and not a server: " + serverID);
return null;
return null;
return null;
return null;
return id;
return serverId;
boolean isClientMessage)
boolean isClientMessage)
if (isClientMessage) {
return msg;
return null;
return null;
throws SAML2Exception {
+ childName);
while (e.hasMoreElements()) {
return headers;
public static void putHeaders(
.createStatusCode();
.createStatusCode();
} catch (SAML2Exception e) {
return status;
throws SAML2Exception {
return null;
return errResp;
return retElem;
} catch (SOAPException e) {
return msg;
return null;
return null;
return null;
} catch (SAML2MetaException e) {
return null;
throws SAML2Exception {
return roleName;
throw new SAML2Exception(
} catch (Exception e) {
public static void redirectAuthentication(
throws SAML2Exception {
return issuer;
throws SAML2Exception {
throw new SAML2Exception(
throws SAML2Exception {
throw new SAML2Exception(
return session;
} catch (Exception e) {
return handle;
} catch (Exception e) {
return spAuthnCtx;
throws SAML2Exception {
if (issuerValid == false) {
data,
null);
throw new SAML2Exception(
return issuerValid;
throws SAML2Exception {
if (issuerValid == false) {
data,
null);
throw new SAML2Exception(
return issuerValid;
} catch (Exception e) {
return readerURL;
return baseURL;
} catch (Exception e) {
return idpEntityID;
return redirectURL;
throws SAML2Exception {
return idpAccountMapper;
throws SAML2Exception {
idpAdapter = (SAML2IdentityProviderAdapter) IDPCache.idpAdapterCache.get(realm + "$" + idpEntityID + "$" + idpAdapterName);
return idpAdapter;
throws SAML2Exception {
return spAdapterClass;
throws SAML2Exception {
return fedletAdapterClass;
return map;
return map;
throws SAML2Exception {
return spAccountMapper;
return null;
return ecpRequestIDPListFinder;
return relayState;
return null;
spConfig =
return null;
return null;
return null;
return hp;
} catch (SAML2MetaException e) {
return null;
return null;
public static void logError(
return props;
entityID);
} catch (SAML2MetaException e) {
return result;
boolean certgood = true;
if (checkCertStatus == false) {
return certgood = true;
certgood =
return certgood;
return map;
throws SAML2Exception {
//TO DO: Put the message in the bundle libSAML2_XX.properties
return attribute;
throws SAML2Exception {
return nameIDFormat;
endPos);
return (strCookies);
public static boolean isSPProfileBindingSupported(
public static boolean isIDPProfileBindingSupported(
spConfig =
return null;
return null;
return null;
return values;
} catch (SAML2MetaException e) {
return null;
public static boolean isRelayStateURLValid(HttpServletRequest request, String relayState, String role) {
boolean result = false;
result = true;
} catch (SAML2Exception e) {
result = false;
return result;
public static void validateRelayStateURL(
role);
throw new SAML2Exception(
throw new SAML2Exception(
if (isGET) {
conn.setRequestProperty(SAMLConstants.ACCEPT_LANG_HEADER, request.getHeader(SAMLConstants.ACCEPT_LANG_HEADER));
if (isGET) {
int len;
return origRequestData;
+ cookieStr);
boolean urlEncoded = false;
if (s != null) {
urlEncoded = true;
return urlEncoded;
return cookie;
boolean result = false;
return result;