SAML2Utils.java revision fcc9a0b0a96199dd990d08cc14b8aa63803dcf8b
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
* Portions Copyrighted 2014 Nomura Research Institute, Ltd
*/
/**
* The <code>SAML2Utils</code> contains utility methods for SAML 2.0
* implementation.
*/
public class SAML2Utils extends SAML2SDKUtils {
private static String serverProtocol =
private static String serverHost =
private static String serverPort =
private static int intServerPort = 0;
private static final char EQUALS = '=';
private static final char SEMI_COLON = ';';
private static final char DOUBLE_QUOTE = '"';
? "8192" : SAML2ConfigService.
// Dir server info for CRL entry
private static boolean checkCertStatus = false;
private static boolean checkCAStatus = false;
static {
} else {
} catch (NumberFormatException nfe) {
}
}
/*
* Setup the LDAP certificate directory service context for
* use in verification of signing certificates.
*/
if (checkCertStatusStr != null) {
.booleanValue();
if (debug.messageEnabled()) {
+ checkCertStatus);
+ checkCAStatus);
}
} else {
if (debug.messageEnabled()) {
"with old config style.");
}
}
}
static {
try {
new SAML2MetaManager();
} catch (SAML2MetaException sme) {
}
try {
cotManager = new CircleOfTrustManager();
} catch (COTException sme) {
}
// run the scheduler in case of server or Fedlet
if (SystemConfigurationUtil.isServerMode() ||
}
}
/**
* Verifies single sign on <code>Response</code> and returns information
* to SAML2 auth module for further processing. This method is used by
* SAML2 auth module only.
*
* @param httpRequest HttpServletRequest
* @param httpResponse HttpServletResponse
* @param response Single Sign On <code>Response</code>.
* @param orgName name of the realm or organization the provider is in.
* @param hostEntityId Entity ID of the hosted provider.
* @param profileBinding Profile binding used.
* @return A Map of information extracted from the Response. The keys of
* map are:
* <code>SAML2Constants.SUBJECT</code>,
* <code>SAML2Constants.POST_ASSERTION</code>,
* <code>SAML2Constants.ASSERTIONS</code>,
* <code>SAML2Constants.SESSION_INDEX</code>,
* <code>SAML2Constants.AUTH_LEVEL</code>,
* <code>SAML2Constants.MAX_SESSION_TIME</code>.
* @throws SAML2Exception if the Response is not valid according to the
* processing rules.
*/
public static Map verifyResponse(
final HttpServletRequest httpRequest,
final HttpServletResponse httpResponse,
final String hostEntityId,
final String profileBinding)
throws SAML2Exception {
if (debug.messageEnabled()) {
}
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// Attempt to read AuthnRequestInfoCopy from SAML2 repository
try {
} catch (SAML2TokenRepositoryException se) {
+ " unable to retrieve from SAML2 repository for inResponseTo: " + inRespToResp);
}
if (reqInfoCopy != null) {
// Get back the AuthnRequestInfo
if (debug.messageEnabled()) {
+ " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
}
} else {
data,
null);
"invalidInResponseToInResponse"));
}
} else {
if (reqInfoCopy != null) {
// Get back the AuthnRequestInfo
if (debug.messageEnabled()) {
+ " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
}
} else {
}
}
}
}
// reqInfo can remain null and will do for IDP initiated SSO requests
// invoke SP Adapter
}
}
if (debug.messageEnabled()) {
}
data,
null);
"invalidIssuerInResponse"));
} else {
}
}
if (debug.messageEnabled()) {
}
}
data,
null);
//In case of passive authentication the NoPassive response will be sent using two StatusCode nodes:
//the outer StatusCode will be Responder and the inner StatusCode will contain the NoPassive URN
if (secondLevelStatusCode != null
}
// when is AllowCreate=false mode the auth module gets here with a
// statusCode of urn:oasis:names:tc:SAML:2.0:status:Requester
if (secondLevelStatusCode != null
}
}
}
if (saml2MetaManager == null) {
}
if (debug.messageEnabled()) {
}
// SAML spec processing
// 4.1.4.3 Verify any signatures present on the assertion(s) or the response
boolean responseIsSigned = false;
try {
} catch (SAML2MetaException sme) {
throw new SAML2Exception(sme);
}
if (idpSSODescriptor != null) {
Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(idpSSODescriptor, idpEntityId,
}
} else {
}
responseIsSigned = true;
}
if (debug.messageEnabled()) {
}
// assertion encryption check
boolean needAssertionEncrypted = false;
if (debug.messageEnabled()) {
}
}
if (encAssertions != null) {
if (assertions == null) {
assertions = new ArrayList<>();
}
}
}
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
}
// validate the assertions
boolean allAssertionsSigned = true;
data,
null);
"invalidIssuerInAssertion"));
}
if (idpEntityId == null) {
} else {
if (debug.messageEnabled()) {
+ "match the Issuer in Response or other "
+ "Assertions in the Response.");
}
data,
null);
throw new SAML2Exception(
}
}
if (verificationCerts == null) {
}
"Assertion is not signed or signature is not valid.");
data,
null);
"invalidSignatureOnAssertion"));
}
} else {
allAssertionsSigned = false;
}
continue;
}
continue;
}
continue;
}
boolean foundAssertion = false;
foundAssertion = true;
}
try {
foundAssertion = true;
}
} catch (SAML2TokenRepositoryException e) {
if (debug.messageEnabled()) {
}
}
}
if (foundAssertion) {
}
}
} // end of having authnStmt
}
}
// 5.3 signature inheritance - assertion can be considered to inherit the signature from
// the enclosing element
}
// 4.1.4.5 POST-Specific Processing Rules each assertion MUST be protected by a digital signature either by
// signing each individual <Assertion> element or by signing the <Response> element.
boolean wantPostResponseSigned = SAML2Utils
if (debug.messageEnabled()) {
}
if (wantPostResponseSigned && !responseIsSigned) {
}
if (!responseIsSigned && !allAssertionsSigned) {
}
}
return smap;
}
final String inRespToResponse,
final SPSSODescriptorElement spDesc,
final SPSSOConfigElement spConfig,
final String assertionID)
throws SAML2Exception {
boolean hasBearer = false;
if (subjectConfirm == null ||
continue;
}
// since this is bearer SC, all below must be true
if (subjectConfData == null) {
if (debug.messageEnabled()) {
}
data,
null);
"missingSubjectConfirmationData"));
}
if (debug.messageEnabled()) {
}
data,
null);
}
boolean foundMatch = false;
foundMatch = true;
break;
}
}
if (!foundMatch) {
if (debug.messageEnabled()) {
+ "recipient.");
}
data,
null);
}
// in seconds
if (timeskew < 0) {
}
}
if (debug.messageEnabled()) {
}
if (notOnOrAfter == null ||
System.currentTimeMillis())) {
if (debug.messageEnabled()) {
}
data,
null);
"invalidTimeOnSubjectConfirmationData"));
}
System.currentTimeMillis()) {
if (debug.messageEnabled()) {
+ "NotBefore.");
}
"containedNotBefore"));
}
}
if (debug.messageEnabled()) {
+ "different from the one in Response.");
}
data,
null);
"wrongInResponseToInAssertion"));
}
} else {
if (debug.messageEnabled()) {
+ "InResponseTo, but Response does.");
}
data,
null);
"wrongInResponseToInAssertion"));
}
}
hasBearer = true;
break;
}
return retMap;
}
final String hostEntityId,
final String assertionID)
throws SAML2Exception {
if (debug.messageEnabled()) {
}
data,
null);
}
if (restrictions == null) {
if (debug.messageEnabled()) {
}
data,
null);
"missingAudienceRestriction"));
}
boolean found = false;
found = true;
break;
}
}
if (!found) {
if (debug.messageEnabled()) {
}
data,
null);
}
}
final List assertions,
final AuthnRequestInfo reqInfo,
final String inRespToResp,
final String hostEntityId,
final String idpEntityId,
final SPSSOConfigElement spConfig,
final Date notOnOrAfterTime)
throws SAML2Exception {
// use the first AuthnStmt
int authLevel = -1;
}
if (authnRequest != null) {
}
}
}
if (authLevel >= 0) {
}
// SessionNotOnOrAfter
if (sessionNotOnOrAfter != null) {
if (maxSessionTime > 0) {
new Long(maxSessionTime));
}
}
}
if (debug.messageEnabled()) {
+ "assertion.");
}
if (notOnOrAfterTime != null) {
}
data,
null);
return smap;
}
/**
* Retrieves attribute value for a given attribute name from
* <code>SPSSOConfig</code>.
*
* @param config <code>SPSSOConfigElement</code> instance.
* @param attrName name of the attribute whose value ot be retrived.
* @return value of the attribute; or <code>null</code> if the attribute
* if not configured, or an error occured in the process.
*/
public static String getAttributeValueFromSPSSOConfig(
return null;
}
}
return result;
}
/**
* Gets List of 'String' assertions from the list of 'Assertion' assertions
*
* @param assertions A list of Assertions
* @return a String printout of the list of Assertions
*/
if (assertions != null) {
try {
} catch (SAML2Exception e) {
}
}
}
return returnAssertions;
}
/**
* Checks if it is a persistent request or not.
*
* @param nameId Name ID object
* @return true if it is a persistent request, false if not.
*/
boolean isPersistent = false;
return isPersistent;
}
isPersistent = true;
}
}
if (debug.messageEnabled()) {
}
return isPersistent;
}
/**
* Checks if the federation information for the user exists or not.
*
* @param userName user id for which account federation needs to be
* returned.
* @param hostEntityID <code>EntityID</code> of the hosted entity.
* @param remoteEntityId <code>EntityID</code> of the remote entity.
* @return true if exists, false otherwise.
*/
boolean exists = false;
return exists;
}
try {
exists = true;
}
} catch (SAML2Exception se) {
if (debug.messageEnabled()) {
}
} catch (Exception e) {
}
if (debug.messageEnabled()) {
}
return exists;
}
/**
* Returns the <code>NameIDInfoKey</code> key value pair that can
* be used for searching the user.
*
* @param nameID <code>NameID</code> object.
* @param hostEntityID hosted <code>EntityID</code>.
* @param remoteEntityID remote <code>EntityID</code>.
* @param hostEntityRole the role of hosted entity.
* @throws <code>SAML2Exception</code> if any failure.
*/
final String hostEntityID,
final String remoteEntityID,
final String hostEntityRole)
throws SAML2Exception {
"nullNameID"));
}
} else {
"spNotAffiliationMember"));
}
} else {
remoteEntityID)) {
"spNotAffiliationMember"));
}
}
}
} else {
}
if (debug.messageEnabled()) {
}
return keyMap;
}
/**
* Returns <code>true</code> if <code>Issuer</code> is valid.
*
* @param issuer to be checked <code>Issuer</code> instance.
* @param orgName the name of the realm or organization.
* @param hostEntityId Entity ID of the hosted provider.
* @return <code>true</code> if the <code>Issuer</code> is trusted;
* <code>false</code> otherwise.
*/
final String hostEntityId) {
boolean isValid = false;
try {
// Check if entityID is trusted provider
}
}
return isValid;
} catch (Exception e) {
"Exception : ", e);
return false;
}
}
/**
* Returns <code>DataStoreProvider</code> object.
*
* @return <code>DataStoreProvider</code> configured for the SAML2 plugin.
* @throws SAML2Exception if any failure.
*/
public static DataStoreProvider getDataStoreProvider()
throws SAML2Exception {
try {
} catch (DataStoreProviderException dse) {
"DataStoreProviderException : ", dse);
throw new SAML2Exception(dse);
}
}
/**
* Returns the encoded request message. The SAML Request message must be
* encoded before being transmitted. The Request message is base-64
* encoded according to the rules specified in RFC2045.
*
* @param str String to be encoded.
* @return String the encoded String value or null on error.
*/
try {
} catch (UnsupportedEncodingException uee) {
return null;
}
}
/**
* Returns the encoded request message.
* The SAML Request message must be
* encoded before being transmitted.
* The Request message is encoded as follows:
* 1. URL Encoded using the DEFLATE compression method.
* 2. Then the message is base-64 encoded according to
* the rules specified in RFC2045.
*
* @param str String to be encoded.
* @return String the encoded String value or null on error.
*/
byte[] input;
try {
} catch (UnsupportedEncodingException uee) {
return null;
}
try {
} catch (IOException e) {
return null;
} finally {
}
if (debug.messageEnabled()) {
}
return encoded;
}
/**
* Decodes the request message.
*
* @param str String to be decoded.
* @return String the decoded String.
*/
return null;
}
if (debug.messageEnabled()) {
}
return null;
}
// From the Inflater JavaDoc:
// Note: When using the 'nowrap' option it is also necessary to provide an extra "dummy" byte as input.
// This is required by the ZLIB native library in order to support certain optimizations.
int bufferLength = 2048;
try {
}
} catch (NumberFormatException nfe) {
}
// Decompress the bytes
InflaterInputStream inflaterInputStream = new InflaterInputStream(new ByteArrayInputStream(input), inflater);
try {
int b = inflaterInputStream.read();
while (b != -1) {
b = inflaterInputStream.read();
}
} catch (IOException e) {
return null;
} finally {
}
try {
} catch (UnsupportedEncodingException uee) {
return null;
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Removes new line character from a String.
*
* @param string String to remove newline characters from.
* @return String with newline characters trimmed.
*/
return string;
}
// maybe should be getting the newline expression from the system preferences
}
/**
* Returns an instance of <code>SAML2MetaManger</code>.
*
* @return Instance of <code>SAML2MetaManager</code>
*/
public static SAML2MetaManager getSAML2MetaManager() {
return saml2MetaManager;
}
/**
* Returns the realm.
*
* @param realm Realm object.
* @return realm if the input is not null or empty, otherwise
* return the root realm.
*/
return "/";
}
return realm;
}
/**
* Returns the realm.
*
* @param paramsMap a map of parameters
* @return realm if the input map contains the realm, otherwise
* return the default realm from AMConfig.properties
*/
}
/**
* Returns the query parameter value for the param specified from the given Map.
*
* @param paramsMap a map of parameters
* @param attributeName name of the parameter
* @return the value of this parameter or null if the parameter was not found in the params map
*/
return null;
}
}
/**
* Returns a Map of parameters retrieved from the Query parameters
* in the HttpServletRequest.
*
* @param request the <code>HttpServletRequest</code>.
* @return a Map where the key is the parameter Name and
* value is of the type List.
*/
}
if (authContextClassRef != null) {
}
if (includeContext != null) {
paramsMap.put(SAML2Constants.INCLUDE_REQUESTED_AUTHN_CONTEXT, Collections.singletonList(includeContext));
}
return paramsMap;
}
/**
* Extracts a value from the request and puts it in the map.
*
* @param request the request object to extract the value from
* @param paramsMap the Map to add the value to
* @param parameterName the name of the value to extract
*/
}
/**
* Extracts a value from the request and puts it in the map.
*
* @param request the request object to extract the value from
* @param paramsMap the Map to add the value to
* @param parameterName the name of the value to extract
*/
final String parameterName) {
}
/**
* Puts the given parameter value into a new List object then adds it to the map.
*
* @param paramsMap the map to add the object to
* @param paramVal the value of the parameter
* @param parameterName the name of the parameter
*/
final String parameterName) {
}
}
/**
* Puts the given parameter value into a new List object then adds it to the map.
*
* @param paramsMap the map to add the object to
* @param paramVal the value of the parameter
* @param parameterName the name of the parameter
*/
final String parameterName) {
}
}
/**
* as a List. The string passed to this method
* is a pipe separated value.
*
* @param str a pipe separated String to be parsed.
* @return List contained the parsed values.
*/
while (st.hasMoreTokens()) {
}
return ctxList;
}
/**
* Generates provider Source ID based on provider Entity ID. The returned
* is SHA-1 digest string.
*
* @param entityID Entity ID for example <code>http://host.sun.com:81</code>
* @return sourceID string
*/
return null;
}
try {
} catch (NoSuchAlgorithmException e) {
return null;
}
}
}
/**
* Extracts serverID from the specified id.
*
* @param id an id.
* @return the extracted id, or null if the given string is too short or null.
*/
return null;
}
}
/**
* Gets remote service URL according to server id embedded in the provided ID.
*
* @param id The server's ID or a user's sessionIndex.
* @return Remote service URL corresponding to the ID, or null if the ID is local, or an error occurred.
*/
if (debug.messageEnabled()) {
}
return null;
}
try {
return null;
}
if (debug.warningEnabled()) {
debug.warning("SAML2Utils.getRemoteServiceURL: the given id refers to a site and not a server: " + serverID);
}
return null;
}
} catch (SystemConfigurationException sce) {
if (debug.messageEnabled()) {
}
return null;
}
}
/**
* Generates ID with server id at the end.
*
* @return ID value.
*/
public static String generateIDWithServerID() {
return null;
}
return embedServerID(id);
}
/**
* Generates message handle with server id used in an <code>Artifact</code>.
*
* @return String format of 20-byte sequence identifying message.
*/
public static String generateMessageHandleWithServerID() {
return null;
}
return embedServerID(id);
}
/**
* Replaces last 2 chars of specified id with server id.
*
* @param id an id
* @return String with server id at the end.
*/
try {
// serverId is 2 digit string
} else if (debug.messageEnabled()) {
"invalid server id = " + serverId);
}
if (debug.messageEnabled()) {
}
}
return id;
}
/**
* Returns the server id of the local server
*/
public static String getLocalServerID() {
try {
if (debug.messageEnabled()) {
}
}
return serverId;
}
/**
* Sets mime headers in HTTP servlet response.
*
* @param headers mime headers to be set.
* @param response HTTP servlet response.
*/
public static void putHeaders(
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
} else {
if (i != 0) {
}
}
}
}
}
/**
* Generates SAMLv2 Status object
*
* @param code Status code value.
* @param message Status message.
* @return Status object.
*/
}
/**
* Generates SAMLv2 Status object
*
* @param code Status code value.
* @param subCode second-level status code
* @param message Status message.
* @return Status object.
*/
try {
.createStatusCode();
}
.createStatusCode();
}
} catch (SAML2Exception e) {
}
return status;
}
/**
* Returns a <code>SAML Response</code> object containing error status
*
* @param request the <code>RequestAbstract</code> object
* @param code the error code
* @param subCode teh second-level error code
* @param statusMsg the error message
* @param issuerEntityID the entity id of the issuer
* @return the <code>SAML Response</code> object containing error status
* @throws SAML2Exception if the operation is not successful
*/
public static Response getErrorResponse(
throws SAML2Exception {
if (responseID == null) {
return null;
}
// sp initiated case, need to set InResponseTo attribute
}
// set the idp entity id as the response issuer
if (issuerEntityID != null) {
}
if (debug.messageEnabled()) {
}
return errResp;
}
/**
* Returns encryption certificate alias names.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return The list of certificate aliases for encryption.
*/
public static List<String> getEncryptionCertAliases(String realm, String hostEntityId, String entityRole) {
if (debug.messageEnabled()) {
}
return getAllAttributeValueFromSSOConfig(realm, hostEntityId, entityRole, SAML2Constants.ENCRYPTION_CERT_ALIAS);
}
/**
* Returns signing certificate alias name.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return alias name of certificate alias for signing.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
}
/**
* Returns signing certificate key password (encrypted).
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return The encrypted keypass of the private key used for signing.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
}
/**
* Returns true if wantAssertionEncrypted has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantAssertionEncrypted has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantEncrypted == null) {
wantEncrypted = "false";
}
}
/**
* Returns true if wantAttributeEncrypted has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantAttributeEncrypted has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantEncrypted == null) {
wantEncrypted = "false";
}
}
/**
* Returns true if wantNameIDEncrypted has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantNameIDEncrypted has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantEncrypted == null) {
wantEncrypted = "false";
}
}
/**
* Returns true if wantArtifactResolveSigned has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantArtifactResolveSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantArtifactResponseSigned has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantArtifactResponseSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantLogoutRequestSigned has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantLogoutRequestSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantLogoutResponseSigned has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantLogoutResponseSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantMNIRequestSigned has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantMNIRequestSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantMNIResponseSigned has <code>String</code> true.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantMNIResponseSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns boolean value of specified attribute from SSOConfig.
* This method is used for boolean-valued attributes.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @param attrName attribute name for the value.
* @return value of specified attribute from SSOConfig.
*/
return false;
}
}
/**
* Returns single value of specified attribute from SSOConfig.
* This method is used for single-valued attributes.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @param attrName attribute name for the value.
* @return value of specified attribute from SSOConfig.
*/
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
} else {
return null;
}
}
/**
* Returns all values of specified attribute from SSOConfig.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @param attrName attribute name for the value.
* @return value of specified attribute from SSOConfig.
*/
if (debug.messageEnabled()) {
}
try {
} else if (entityRole.equalsIgnoreCase(
} else if (entityRole.equalsIgnoreCase(
} else if (entityRole.equalsIgnoreCase(
}
return null;
}
return null;
}
} catch (SAML2MetaException e) {
}
return null;
}
/**
* Returns the role of host entity.
*
* @param paramsMap <code>Map</code> includes parameters.
* @return role name for hosted entity.
* @throws SAML2Exception if error in retrieving the parameters.
*/
throws SAML2Exception {
return roleName;
}
throw new SAML2Exception(
}
/**
* Returns true if this entity is acting as both SP and IDP.
*
* @param hostEntityId entity ID of the hosted entity.
* @param realm the realm the entity resides.
* @return true if this entity is acting as both SP and IDP,
* false otherwise.
*/
try {
return false;
}
} catch (Exception e) {
return false;
}
}
/**
* Returns url for redirection.
*
* @param request <code>HttpServletRequest</code> for redirecting.
* @param response <code>HttpServletResponse</code> for redirecting.
* @param realm realm of hosted entity.
* @param hostEntityID name of hosted entity.
* @param entityRole role of hosted entity.
* @throws IOException if error in redirecting request.
*/
public static void redirectAuthentication(
// get the authentication service url
// need to get it from the request
if (secondSlashIndex != -1) {
}
}
authUrl += "?goto=";
} else {
authUrl += "&goto=";
}
if (debug.messageEnabled()) {
}
}
/**
* Returns url for redirection.
*
* @param entityID entityID for Issuer.
* @return Issuer for the specified entityID.
* @throws SAML2Exception if error in creating Issuer element.
*/
throws SAML2Exception {
if (debug.messageEnabled()) {
}
return issuer;
}
/**
* Sign Query string.
*
* @param queryString URL query string that will be signed.
* @param realm realm of host entity.
* @param hostEntity entityID of host entity.
* @param hostEntityRole entity role of host entity.
* @return returns signed query string.
* @throws SAML2Exception if error in signing the query string.
*/
throws SAML2Exception {
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
}
} else {
}
if (signingKey == null) {
throw new SAML2Exception(
}
}
/**
* Verify Signed Query string.
*
* @param queryString URL query string that will be verified.
* @param realm realm of host entity.
* @param hostEntityRole entity role of host entity.
* @param remoteEntity entityID of peer entity.
* @return returns true if sign is valid.
* @throws SAML2Exception if error in verifying the signature.
*/
throws SAML2Exception {
if (debug.messageEnabled()) {
}
} else {
}
if (debug.messageEnabled()) {
}
if (signingCerts.isEmpty()) {
}
}
/**
* Parses the request parameters and return session object
* or redirect to login url.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias entityID of hosted entity.
* @param paramsMap Map of all other parameters.
* @return session object of <code>HttpServletRequest</code>.
* @throws SAML2Exception if error initiating request to remote entity.
*/
public static Object checkSession(
try {
} catch (SessionException se) {
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
"redirect to the authentication service");
}
// the user has not logged in yet,
// redirect to the authentication service
try {
} catch (IOException ioe) {
}
}
return session;
}
/**
* Returns a Name Identifier
*
* @return a String the Name Identifier. Null value
* is returned if there is an error in
* generating the Name Identifier.
*/
public static String createNameIdentifier() {
try {
byte[] handleBytes = new byte[21];
if (debug.messageEnabled()) {
}
} catch (Exception e) {
+ " Exception during proccessing request" + e.getMessage());
}
return handle;
}
/**
* Returns the Service Provider AuthnContext Mapper Object.
*
* @param authnCtxClassName Service Provider AuthnContext Mapper Class Name.
* @return SPAuthnContextMapper Object.
*/
public static SPAuthnContextMapper getSPAuthnContextMapper(
if (debug.messageEnabled()) {
}
try {
} catch (ClassNotFoundException ce) {
if (debug.messageEnabled()) {
+ " using Default AuthnContext Mapper");
}
} catch (InstantiationException ie) {
if (debug.messageEnabled()) {
+ " using Default AuthnContext Mapper");
}
} catch (IllegalAccessException iae) {
if (debug.messageEnabled()) {
+ " using Default AuthnContext Mapper");
}
} catch (Exception e) {
if (debug.messageEnabled()) {
+ " using Default AuthnContext Mapper");
}
}
}
if (spAuthnCtx == null) {
spAuthnCtx = new DefaultSPAuthnContextMapper();
}
return spAuthnCtx;
}
/**
* Verifies <code>Issuer</code> in <code>Request</code> and returns
* true if the Issuer is part of COT
* SAML2 auth module only.
*
* @param realm realm of hosted entity.
* @param hostEntity name of hosted entity.
* @param reqIssuer <code>Issuer</code> of Request.
* @param requestId request ID
* @return true if issuer is valid.
* @throws SAML2Exception
*/
throws SAML2Exception {
if (!issuerValid) {
if (debug.messageEnabled()) {
"Issuer in Request is not valid.");
}
data,
null);
throw new SAML2Exception(
}
return issuerValid;
}
/**
* Verifies <code>Issuer</code> in <code>Response</code> and returns
* true if the Issuer is part of COT
*
* @param realm realm of hosted entity.
* @param hostEntity name of hosted entity.
* @param resIssuer <code>Issuer</code> of Response.
* @param requestId request ID for the response.
* @return true if issuer is valid.
* @throws SAML2Exception
*/
throws SAML2Exception {
if (!issuerValid) {
if (debug.messageEnabled()) {
"Issuer in Response is not valid.");
}
data,
null);
throw new SAML2Exception(
}
return issuerValid;
}
// get spExtended
try {
if (debug.messageEnabled()) {
}
if (spEntityCfg != null) {
}
} catch (COTException ce) {
if (debug.messageEnabled()) {
"Error retreiving circle of trust", ce);
}
} catch (SAML2Exception s2e) {
if (debug.messageEnabled()) {
"Error getting reader URL : ", s2e);
}
} catch (Exception e) {
if (debug.messageEnabled()) {
"Error getting reader URL : ", e);
}
}
return readerURL;
}
/**
* Returns the Request URL.
* The getRequestURL does not alway returns the correct url
* so this method builds the URL by retrieving the protocol,port
* host name and deploy descriptor.
*
* @param request the <code>HttpServletRequest</code>.
* @return the Request URL string.
*/
}
} else {
}
baseURL += deployDesc;
}
return baseURL;
}
/**
* Returns the Identity Provider Entity Identifier.
* This method retrieves the _saml_idp query parameter
* from the request and parses it to get the idp entity
* id. If there are more then one idps then the last
* one is the preferred idp.
*
* @param request the <code>HttpServletRequest</code> .
* @return the identity provider entity identifier String.
*/
while (st.hasMoreTokens()) {
}
try {
} catch (Exception e) {
}
}
return idpEntityID;
}
/**
* Returns the redirect URL.
* This methods returns the complete reader redirect url.
* The RelayState and requestId parameter are appended to
* the URL to redirection back to the spSSOInit jsp.
*
* @param readerURL the readerURL to redirect to.
* @param requestID the unique identifier to identify the request.
* @param request the HttpServletRequest.
* @return redirectURL the URL to redirect to.
*/
.append("?RelayState=");
} else {
}
return redirectURLBuilder.toString();
}
/**
* Returns an <code>IDPAccountMapper</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
* @return the <code>IDPAccountMapper</code>
* @throws SAML2Exception if the operation is not successful
*/
public static IDPAccountMapper getIDPAccountMapper(
throws SAML2Exception {
try {
if (idpAccountMapperName == null) {
if (debug.messageEnabled()) {
}
}
if (idpAccountMapper == null) {
} else {
if (debug.messageEnabled()) {
"got the IDPAccountMapper from cache");
}
}
"Unable to get IDP Account Mapper.", ex);
throw new SAML2Exception(ex);
}
return idpAccountMapper;
}
/**
* Returns a <code>SAML2IdentityProviderAdapter</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
* @return the <code>SAML2IdentityProviderAdapter</code>
* @throws SAML2Exception if the operation is not successful
*/
public static SAML2IdentityProviderAdapter getIDPAdapterClass(
throws SAML2Exception {
try {
if (debug.messageEnabled()) {
}
}
// Attempt to retrieve the adapter from the cache
idpAdapter = (SAML2IdentityProviderAdapter) IDPCache.idpAdapterCache.get(realm + "$" + idpEntityID + "$" + idpAdapterName);
if (idpAdapter == null) {
// NB: multiple threads may cause several adapter objects to be created
// Add the adapter to the cache after initialization
} else {
if (debug.messageEnabled()) {
}
}
throw new SAML2Exception(ex);
}
return idpAdapter;
}
/**
* Returns an <code>SP</code> adapter class
*
* @param spEntityID the entity id of the service provider
* @param realm the realm name
* @return the <code>SP</code> adapter class
* @throws SAML2Exception if the operation is not successful
*/
public static SAML2ServiceProviderAdapter getSPAdapterClass(
throws SAML2Exception {
if (debug.messageEnabled()) {
}
try {
if (debug.messageEnabled()) {
"get SPAdapter class " + spAdapterClassName);
}
if ((spAdapterClassName != null) &&
if (spAdapterClass == null) {
if (debug.messageEnabled()) {
"create new SPAdapter " + spAdapterClassName +
}
} else {
if (debug.messageEnabled()) {
"got the SPAdapter " + spAdapterClassName +
" from cache");
}
}
}
} catch (InstantiationException ex) {
"Unable to get SP Adapter class instance.", ex);
throw new SAML2Exception(ex);
} catch (ClassNotFoundException ex) {
"SP Adapter class not found.", ex);
throw new SAML2Exception(ex);
} catch (IllegalAccessException ex) {
"Unable to get SP Adapter class.", ex);
throw new SAML2Exception(ex);
}
return spAdapterClass;
}
/**
* Returns a <code>Fedlet</code> adapter class.
*
* @param spEntityID the entity id of the service provider
* @param realm the realm name
* @return the <code>Fedlet</code> adapter class
* @throws SAML2Exception if the operation is not successful
*/
public static FedletAdapter getFedletAdapterClass(
throws SAML2Exception {
if (debug.messageEnabled()) {
}
try {
if (debug.messageEnabled()) {
"get FedletAdapter class " + fedletAdapterClassName);
}
if ((fedletAdapterClassName != null) &&
if (fedletAdapterClass == null) {
if (debug.messageEnabled()) {
"create new FedletAdapter " +
}
} else {
if (debug.messageEnabled()) {
"got the FedletAdapter " + fedletAdapterClassName +
" from cache");
}
}
}
} catch (InstantiationException ex) {
"Unable to get Fedlet Adapter class instance.", ex);
throw new SAML2Exception(ex);
} catch (ClassNotFoundException ex) {
"Fedlet Adapter class not found.", ex);
throw new SAML2Exception(ex);
} catch (IllegalAccessException ex) {
"Unable to get Fedlet Adapter class.", ex);
throw new SAML2Exception(ex);
}
return fedletAdapterClass;
}
/**
* Returns map based on A/V pair.
*/
return map;
}
if (debug.messageEnabled()) {
}
continue;
}
if (pos == -1) {
if (debug.warningEnabled()) {
+ val + ". Value must be in key=value format.");
}
} else {
}
}
return map;
}
/**
* Returns an <code>SPAccountMapper</code>
*
* @param realm the realm name
* @param spEntityID the entity id of the service provider
* @return the <code>SPAccountMapper</code>
* @throws SAML2Exception if the operation is not successful
*/
public static SPAccountMapper getSPAccountMapper(
throws SAML2Exception {
try {
if (spAccountMapperName == null) {
if (debug.messageEnabled()) {
}
}
if (spAccountMapper == null) {
} else {
if (debug.messageEnabled()) {
"got the SPAccountMapper from cache");
}
}
"Unable to get SP Account Mapper.", ex);
throw new SAML2Exception(ex);
}
return spAccountMapper;
}
/**
* Returns an <code>SAML2IDPFinder</code> which is used to find a list
* of IDP's for ECP Request.
*
* @param realm the realm name
* @param spEntityID the entity id of the service provider
* @return the <code>SAML2IDPFinder</code>
* @throws SAML2Exception if the operation is not successful
*/
try {
if (debug.messageEnabled()) {
}
if ((implClassName == null) ||
return null;
}
if (ecpRequestIDPListFinder == null) {
} else {
if (debug.messageEnabled()) {
"got the ECP Request IDP List Finder from cache");
}
}
if (debug.warningEnabled()) {
"Unable to get ECP Request IDP List Finder.", ex);
}
}
return ecpRequestIDPListFinder;
}
/**
* Returns the URL to which redirection will happen after
* Single-Signon / Federation. This methods checks the
* following parameters to determine the Relay State.
* 1. The "RelayState" query parameter in the request.
* 2. The "RelayStateAlias" query parameter in the
* request which is used in the absence of the
* RelayState parameter to determine which query parameter
* to use if no "RelayState" query paramerter is present.
* 3. The "goto" query parameter if present is the default
* RelayState in the absence of the above.
*
* @param request the <code>HttpServletRequest</code> object.
* @return the value of the URL to which to redirect on
* successful Single-SignOn / Federation.
*/
while (st.hasMoreTokens()) {
break;
}
}
}
if (relayState == null) {
// check if goto parameter is there.
}
}
return relayState;
}
/**
* Compares the destination and location
*
* @param destination Destination
* @param location the URL from the meta
* @return <code>true</code> if the input are the same,
* otherwise, return <code>false</code>
*/
/* Note:
Here we assume there is one endpoint per protocol. In future,
we may support more than one endpoint per protocol. The caller
code should change accordingly.
*/
}
/**
* Retrieves SAE related attributes from exended metadata.
*
* @param realm realm the FM provider is in
* @param entityId the entity ID of the FM provider
* @param role Role of the FM provider
* @param appUrl application url
* @return Map containing SAE parameters or null in case of error.
*/
public static Map getSAEAttrs(
return null;
}
try {
spConfig =
return null;
}
} else {
return null;
}
}
return null;
}
if (debug.messageEnabled()) {
}
while (st.hasMoreTokens()) {
if (debug.messageEnabled()) {
}
} else {
break;
}
}
}
if (debug.messageEnabled()) {
}
return hp;
}
}
}
} catch (SAML2MetaException e) {
}
return null;
}
/**
* Obtains the value of NameID from Response.
*
* @param response <code>Response</code> object
* @return value of the NameID from the first Assertion in the response.
* null if the response is null, or no assertion in the response, or
* no NameID in the assertion.
*/
}
}
}
}
return null;
}
/**
* Writes a log record in SAML2 access log.
* (fmSAML2.access)
*
* @param lvl indicating log level
* @param msgid Message id
* @param data string array of dynamic data only known during run time
* @param tok Session of authenticated user
* @param ipaddr IP Address.
* @param userid User Id.
* @param org Organization.
* @param module Module Name.
* @param props log record columns - used if tok is not available
* to specify log record columns such as ip address, realm, etc
*/
}
/**
* Writes error occurred in SAML2 component into a log
* (fmSAML2.error)
*
* @param lvl indicating log level
* @param msgid Message id
* @param data string array of dynamic data only known during run time
* @param tok Session of authenticated user
* @param ipaddr IP Address
* @param userid User Id
* @param org Organization
* @param module Module Name
* @param props log record columns - used if tok is not available
* to specify log record columns such as ip address, realm, etc
*/
public static void logError(
}
private static Map accumulateLogProps(
}
}
}
}
}
return props;
}
/**
* Returns the value of attribute from entity configuration.
*
* @param realm the realm of the entity.
* @param entityRole role of the entity (PEP or PDP).
* @param entityID identity of the entity.
* @param attrName name of attribute whose value is to be retreived.
* @return value of the attribute.
*/
public static String getAttributeValueFromXACMLConfig(
) {
if (debug.messageEnabled()) {
}
try {
}
} else {
entityID);
}
}
}
}
} catch (SAML2MetaException e) {
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Returns true if wantXACMLAuthzDecisionQuerySigned has
* <code>true</code> true.
*
* @param realm realm of hosted entity.
* @param entityID name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantXACMLAuthzDecisionQuerySigned
* has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Checks certificate validity with configured CRL
*
* @param cert x509 certificate
* @return <code>true</code> if the certificate is not in CRL,
* otherwise, return <code>false</code>
*/
boolean certgood = true;
if (!checkCertStatus) {
if (debug.messageEnabled()) {
" CRL check is not configured. Just return it is good.");
}
return certgood;
}
certgood =
if (debug.messageEnabled()) {
}
return certgood;
}
/**
* Gets the <code>SPAttributeMapper</code>.
*
* @param realm The realm the SP belongs to.
* @param spEntityID The entity ID of the SP.
* @return The {@link SPAttributeMapper} defined in the configuration.
* @throws SAML2Exception if the processing failed.
*/
public static SPAttributeMapper getSPAttributeMapper(String realm, String spEntityID) throws SAML2Exception {
try {
if (spAttributeMapperName == null) {
}
if (debug.messageEnabled()) {
}
throw new SAML2Exception(ex);
}
}
/**
* Returns the attribute map by parsing the configured map in hosted
* provider configuration
*
* @param realm realm name.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @return a map of local attributes configuration map.
* This map will have a key as the SAML attribute name and the value
* is the local attribute.
* @throws <code>SAML2Exception</code> if any failured.
*/
}
if (hostEntityID == null) {
}
if (debug.messageEnabled()) {
+ realm + ", entity id="
}
try {
}
if (debug.warningEnabled()) {
}
return Collections.EMPTY_MAP;
}
if (debug.messageEnabled()) {
}
return Collections.EMPTY_MAP;
}
return getMappedAttributes(mappedAttributes);
} catch (SAML2MetaException sme) {
}
}
/**
* For the list of Strings containing mappings, return a map of name value pairs that match the mapping string
* @param mappedAttributes a non-null list of strings in the form of name=value or name="static value"
* @return a Map of name value pairs keyed off of the mapping name from the mappedAttributes list
*/
if (mappedAttributes == null) {
return Collections.emptyMap();
}
if (equalsLoc == -1) {
if (debug.messageEnabled()) {
}
continue;
}
}
return attributeMap;
}
/**
* Returns the SAML <code>Attribute</code> object.
*
* @param name attribute name.
* @param values attribute values.
* @throws SAML2Exception if any failure.
*/
throws SAML2Exception {
}
//samlAttribute might be in format: NameFormat|Name
if (pipePos != -1) {
} else {
//TO DO: Put the message in the bundle libSAML2_XX.properties
throw new SAML2Exception("Wrong format of the attribute Name");
}
} else {
}
}
}
return attribute;
}
try {
} catch (ServletException sE) {
} catch (IOException ioE) {
}
}
/**
* Handles any exception when attempting to forward.
*
* @param exception Thrown and caught exception
* @throws SAML2Exception Single general exception that is thrown on
*/
}
/**
* Verifies specified name ID format and returns it. If specified name ID
* format is empty, returns name ID foramt supported by both IDP and SP.
*
* @param nameIDFormat name ID format.
* @param spsso SP meta data desciptor.
* @param idpsso IDP meta data desciptor.
* @throws SAML2Exception if name ID format is not supported.
*/
throws SAML2Exception {
// idpsso is null for ECP case
}
if ((idpNameIDFormatList == null) ||
(idpNameIDFormatList.isEmpty())) {
if ((spNameIDFormatList == null) ||
(spNameIDFormatList.isEmpty())) {
return SAML2Constants.PERSISTENT;
} else {
}
} else {
if ((spNameIDFormatList == null) ||
(spNameIDFormatList.isEmpty())) {
} else {
nameIDFormat = null;
break;
}
}
if (nameIDFormat == null) {
"unsupportedNameIDFormatIDPSP"));
}
}
}
} else {
}
if (debug.messageEnabled()) {
"NameIDFormat not supported by SP: " + nameIDFormat);
}
throw new SAML2Exception(BUNDLE_NAME,
"unsupportedNameIDFormatSP", args);
}
if ((idpNameIDFormatList != null) &&
(!idpNameIDFormatList.isEmpty()) &&
if (debug.messageEnabled()) {
"NameIDFormat not supported by IDP: " + nameIDFormat);
}
throw new SAML2Exception(BUNDLE_NAME,
"unsupportedNameIDFormatIDP", args);
}
}
return nameIDFormat;
}
/**
* Returns true if the specified AuthnContextClassRef matches a list of
* requested AuthnContextClassRef.
*
* @param requestedACClassRefs a list of requested AuthnContextClassRef's
* @param acClassRef AuthnContextClassRef
* @param comparison the type of comparison
* @param acClassRefLevelMap a AuthnContextClassRef to AuthLevel map. Key
* is AuthnContextClassRef in <code>String</code> and value is
* AuthLevel in <code>Integer</code>
* @return true if the specified AuthnContextClassRef matches a list of
* requested AuthnContextClassRef
*/
if (debug.messageEnabled()) {
}
return false;
}
return true;
}
}
return false;
}
if (debug.messageEnabled()) {
"isAuthnContextMatching: requstedACClassRef = " +
}
if (level >= requestedLevel) {
return true;
}
}
return false;
if (debug.messageEnabled()) {
"isAuthnContextMatching: requstedACClassRef = " +
}
if (level <= requestedLevel) {
return false;
}
}
return true;
if (debug.messageEnabled()) {
"isAuthnContextMatching: requstedACClassRef = " +
}
if (level <= requestedLevel) {
return true;
}
}
return false;
}
return false;
}
/**
* Processes logout for external application. This will do a back channel
* HTTP POST to the external application logout URL with all the cookies
* and selected session property as HTTP header.
*
* @param request HttpServletRequest
* @param appLogoutURL external application logout URL
* @param session session object of the user
*/
try {
return;
}
// actual application logout URL without the session
// property query parameter
// name of the session property
// find out session property name from the URL
if (pos != -1) {
if (endPos != -1) {
endPos);
} else {
}
}
if (debug.messageEnabled()) {
", real logoutURL=" + logoutURL +
", session property name: " + sessProp);
}
conn.setDoOutput(true);
HttpURLConnection.setFollowRedirects(false);
conn.setInstanceFollowRedirects(false);
// replay cookies
if (strCookies != null) {
if (debug.messageEnabled()) {
}
}
// set header & content
int i = 0;
while (true) {
} else {
break;
}
}
}
}
if (debug.messageEnabled()) {
}
// Write the request to the HTTP server.
// Check response code
if (debug.messageEnabled()) {
}
} else {
+ conn.getResponseCode());
}
} catch (SessionException ex) {
} catch (IOException ex) {
}
}
// Get cookies string from HTTP request object
// Process Cookies
if (debug.messageEnabled()) {
}
cookieStr = new StringBuffer();
} else {
}
} else {
}
}
}
}
return (strCookies);
}
/**
* Returns value of attribute <code>wantPOSTResponseSigned</code>
* as a boolean value true to false.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantPOSTResponseSigned has <code>String</code> true,
* otherwise false.
*/
if (debug.messageEnabled()) {
+ entityRole);
}
}
/**
* Checks if a profile binding is suppported by a SP.
*
* @param realm Realm the SP is in.
* @param spEntityID SP entity id.
* @param binding binding to be checked on
* @return <code>true</code> if the binding is supported;
* <code>false</code> otherwise.
*/
public static boolean isSPProfileBindingSupported(
if ((saml2MetaManager == null) ||
return false;
}
try {
}
return true;
}
}
}
} catch (SAML2MetaException me) {
}
return false;
}
/**
* Checks if a profile binding is suppported by an IDP.
*
* @param realm Realm the IDP is in.
* @param idpEntityID IDP entity id.
* @param binding binding to be checked on
* @return <code>true</code> if the binding is supported;
* <code>false</code> otherwise.
*/
public static boolean isIDPProfileBindingSupported(
if ((saml2MetaManager == null) ||
return false;
}
try {
} else if (
} else if (
} else if (
} else if (
}
return true;
}
}
}
} catch (SAML2MetaException me) {
}
return false;
}
/**
* Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
*
* @param request Used to help establish the realm and hostEntityID.
* @param relayState The URL to validate.
* @param role The role of the caller.
* @return <code>true</code> if the relayState is valid.
*/
public static boolean isRelayStateURLValid(HttpServletRequest request, String relayState, String role) {
//try to acquire the metaAlias from request parameter
}
}
/**
* Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
*
* @param metaAlias The metaAlias of the hosted entity.
* @param relayState The URL to validate.
* @param role The role of the caller.
* @return <code>true</code> if the relayState is valid.
*/
boolean result = false;
try {
if (hostEntityID != null) {
result = true;
}
} catch (SAML2Exception e) {
if (debug.messageEnabled()) {
}
result = false;
}
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Validates the Relay State URL against a list of valid Relay State
* URLs created on the hosted service provider.
*
* @param orgName realm or organization name the provider resides in.
* @param hostEntityId Entity ID of the hosted provider.
* @param relayState Relay State URL.
* @throws SAML2Exception if the processing failed.
*/
public static void validateRelayStateURL(
// Check for the validity of the RelayState URL.
}
}
}
/**
* Sends the request to the original Federation server and receives the result
* data.
*
* @param request HttpServletRequest to be sent
* @param response HttpServletResponse to be received
* @param sloServerUrl URL of the original federation server to be
* connected
* @return HashMap of the result data from the original server's response
*/
// Print request Headers
if (debug.messageEnabled()) {
for (Enumeration<String> requestHeaders = request.getHeaderNames(); requestHeaders.hasMoreElements(); ) {
}
}
// Open URL connection
try {
if (debug.messageEnabled()) {
}
if (isGET) {
} else {
conn.setDoOutput(true);
}
HttpURLConnection.setFollowRedirects(false);
conn.setInstanceFollowRedirects(false);
// replay cookies
if (strCookies != null) {
if (debug.messageEnabled()) {
}
}
conn.setRequestProperty(SAMLConstants.ACCEPT_LANG_HEADER, request.getHeader(SAMLConstants.ACCEPT_LANG_HEADER));
// do the remote connection
if (isGET) {
} else {
}
if (debug.messageEnabled()) {
}
try {
} catch (IOException ioe) {
} finally {
}
}
// Receiving input from Original Federation server...
if (debug.messageEnabled()) {
}
// Input from Original servlet...
int len;
char[] buf = new char[1024];
}
if (debug.messageEnabled()) {
}
if (redirect_url != null) {
}
// retrieves cookies from the response
if (debug.messageEnabled()) {
}
}
return origRequestData;
}
// parses the cookies from the response header and adds them in
// the HTTP response.
// TODO: This is a copy from AuthClientUtils, need to refactor into OpenAM
// common
if (debug.messageEnabled()) {
}
return;
}
continue;
}
if (debug.messageEnabled()) {
+ cookieStr);
}
while (stz.hasMoreTokens()) {
if (index == -1) {
continue;
}
// we can ignore this cookie
continue;
}
/* decode the cookie if it is already URLEncoded,
* we have to pass non URLEncoded cookie to
* createCookie method
*/
if (isURLEncoded(nameOfValue)) {
try {
// this would not happen for UTF-8
}
}
// we don't care about the cookie expiry
continue;
path = nameOfValue;
} else {
}
}
}
}
}
}
}
}
/**
* Checks if the provided <code>String</code> is URLEncoded. Our logic is
* simple. If the string has % or + character we treat as URL encoded
* <p/>
* TODO : Copied from AuthClientUtils, refactor
*
* @param s the <code>String</code> we want to check
* @return <code>true</code> if the provided string is URLEncoded,
* <code>false</code> otherwise.
*/
private static boolean isURLEncoded(String s) {
boolean urlEncoded = false;
if (s != null) {
urlEncoded = true;
}
}
return urlEncoded;
}
/**
* Creates a Cookie with the <code>cookieName</code>,
* <code>cookieValue</code> for the cookie domains specified.
* <p/>
* TODO: Copied from AuthClientUtils Refactor
*
* @param cookieName is the name of the cookie
* @param cookieValue is the value fo the cookie
* @param cookieDomain Domain for which the cookie is to be set.
* @param path The path into which the cookie shall be set
* @return the cookie object.
*/
if (debug.messageEnabled()) {
}
try {
path, cookieDomain);
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
}
return cookie;
}
/**
* Return true if the User for this session has a profile set to Ignore
*
* @param session session object of the user
* @return true if the User for this session has a profile set to Ignore
*/
boolean result = false;
//ISAuthConstants.USER_PROFILE
//ISAuthConstants.IGNORE
}
if (debug.messageEnabled()) {
+ "User profile from session = "
}
} else {
if (debug.messageEnabled()) {
}
}
return result;
}
/**
* Returns the first value of the session property.
*
* @param session The session object.
* @param propertyName The property's name that needs to be returned.
* @return The property value derived from the session object.
* @throws SessionException If there was a problem while retrieving the session property.
*/
public static String getSingleValuedSessionProperty(Object session, String propertyName) throws SessionException {
}
}