DoManageNameID.java revision 0e107349d3f7763a9c67fb2f32c86c11364c72cf
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: DoManageNameID.java,v 1.26 2009/11/24 21:53:27 madan_ranganath Exp $
*
*/
/*
* Portions Copyrighted 2013-2014 ForgeRock AS
*/
/**
* This class reads the query parameters and the required
* processing logic for sending ManageNameIDRequest
* from SP to IDP.
*/
public class DoManageNameID {
private static FedMonAgent agent;
private static FedMonSAML2Svc saml2Svc;
static {
try {
metaManager= new SAML2MetaManager();
} catch (SOAPException se) {
} catch (SAML2MetaException se) {
} catch (SessionException sessE) {
}
}
}
}
/**
* Parses the request parameters and builds the ManageNameID
* Request to sent to remote Entity.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias entityID of hosted entity.
* @param remoteEntityID entityID of remote entity.
* @param paramsMap Map of all other parameters.
* @throws SAML2Exception if error initiating request to remote entity.
*/
public static void initiateManageNameIDRequest(
if (metaManager == null) {
throw new SAML2Exception(
}
logError("MetaAliasNotFound",
throw new SAML2Exception(
}
if (remoteEntityID == null) {
logError("nullRemoteEntityID",
throw new SAML2Exception(
}
try {
} catch (SessionException se) {
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
"redirect to the authentication service");
}
// the user has not logged in yet,
// redirect to the authentication service
try {
} catch (IOException ioe) {
logError("UnableToRedirectToAuth",
}
return;
}
if (debug.messageEnabled()) {
}
try {
}
throw new SAML2Exception(
}
if (mniService != null) {
}
throw new SAML2Exception(
}
}
// Validate the RelayState URL.
response);
} else {
}
throw new SAML2Exception(
}
}
} catch (IOException ioe) {
logError("errorCreatingMNIRequest",
throw new SAML2Exception(
} catch (SAML2MetaException sme) {
throw new SAML2Exception(
} catch (SessionException ssoe) {
throw new SAML2Exception(
}
}
try {
} catch (SAML2Exception e) {
if (debug.messageEnabled()) {
}
}
}
}
/**
* Returns binding information of MNI Service for remote entity
* from request or meta configuration.
*
* @param request the HttpServletRequest.
* @param metaAlias entityID of hosted entity.
* @param hostEntityRole Role of hosted entity.
* @param remoteEntityID entityID of remote entity.
* @return return true if the processing is successful.
* @throws SAML2Exception if no binding information is configured.
*/
throws SAML2Exception {
try {
if (mniService != null) {
}
}
} catch (SessionException e) {
throw new SAML2Exception(
}
logError("UnableTofindBinding",
throw new SAML2Exception(
}
return binding;
}
throws SAML2Exception {
hostEntityRole, remoteEntity, false);
}
boolean includeCert)
throws SAML2Exception {
boolean needRequestSign = false;
} else {
}
if (!needRequestSign) {
if (debug.messageEnabled()) {
}
return;
}
if (debug.messageEnabled()) {
+ mniRequest.toXMLString(true, true));
}
if (includeCert) {
}
if (signingKey != null) {
} else {
logError("missingSigningCertAlias",
throw new SAML2Exception(
}
if (debug.messageEnabled()) {
+ mniRequest.toXMLString(true, true));
}
}
if (debug.messageEnabled()) {
}
boolean needVerifySignature =
if (!needVerifySignature) {
if (debug.messageEnabled()) {
}
return true;
}
boolean valid = false;
} else {
}
if (signingCert != null) {
if (debug.messageEnabled()) {
}
} else {
logError("missingSigningCertAlias.",
throw new SAML2Exception(
}
return valid;
}
throws SAML2Exception {
hostEntityRole, remoteEntity, false);
}
boolean includeCert)
throws SAML2Exception {
boolean needResponseSign = false;
} else {
}
if (!needResponseSign) {
if (debug.messageEnabled()) {
}
return;
}
if (debug.messageEnabled()) {
+ mniResponse.toXMLString(true, true));
}
if (includeCert) {
}
if (signingKey != null) {
} else {
logError("missingSigningCertAlias",
throw new SAML2Exception(
}
if (debug.messageEnabled()) {
+ mniResponse.toXMLString(true, true));
}
}
throws SAML2Exception, SessionException {
if (debug.messageEnabled()) {
}
boolean needVerifySignature =
if (!needVerifySignature) {
if (debug.messageEnabled()) {
"MNIResponse doesn't need to be verified.");
}
return true;
}
boolean valid = false;
} else {
}
if (signingCert != null) {
if (debug.messageEnabled()) {
}
} else {
logError("missingSigningCertAlias",
throw new SAML2Exception(
}
return valid;
}
if (debug.messageEnabled()) {
}
if (encryptedID != null) {
mniRequest.toXMLString(true, true));
}
} else {
}
}
/**
* Parses the request parameters and process the ManageNameID
* Request from the remote entity.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @throws SAML2Exception if error occurred while processing the request.
* @throws SessionException if error processing the request from remote entity.
* @throws ServletException if request length is invalid.
*/
// handle DOS attack
logError("MetaAliasNotFound",
throw new SAML2Exception(
}
boolean isSupported = false;
} else {
}
if (!isSupported) {
"MNI binding: Redirect is not supported for " + hostEntity);
"unsupportedBinding"));
}
// Retrieve ManageNameIDRequest
if (remoteEntityID == null) {
logError("nullRemoteEntityID",
throw new SAML2Exception(
}
boolean needToVerify =
if (needToVerify) {
boolean valid =
if (!valid) {
logError("invalidSignInRequest",
throw new SAML2Exception(
}
}
if (debug.messageEnabled()) {
}
try {
}
} catch (SAML2MetaException e) {
throw new SAML2Exception(
}
}
/**
* Parses the request parameters and process the ManageNameID
* Request from the remote entity.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @throws SAML2Exception if error occurred while processing the request.
* @throws IOException if error generation DOM from input stream.
* @throws SOAPException if error generating soap message.
* @throws ServletException if request length is invalid.
*/
// handle DOS attack
logError("MetaAliasNotFound",
throw new SAML2Exception(
}
boolean isSupported = false;
} else {
}
if (!isSupported) {
"MNI binding: SOAP is not supported for " + hostEntity);
"unsupportedBinding"));
}
// Retrieve a SOAPMessage
if (remoteEntityID == null) {
logError("nullRemoteEntityID",
throw new SAML2Exception(
}
if (debug.messageEnabled()) {
}
if (!valid) {
logError("invalidSignInRequest",
throw new SAML2Exception(
}
mniResponse.toXMLString(true, true), false);
/* Need to call saveChanges because we're
* going to use the MimeHeaders to set HTTP
* response information. These MimeHeaders
* are generated as part of the save. */
if (reply.saveRequired()) {
reply.saveChanges();
}
// Write out the message on the response stream
} else {
logError("errorObtainResponse",
throw new SAML2Exception(
}
}
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @return return true if the processing is successful.
* @throws SAML2Exception if error initiating request to IDP.
*/
public static boolean processManageNameIDResponse(
throws SAML2Exception {
boolean success = false;
throw new SAML2Exception(
}
boolean isSupported = false;
} else {
}
if (!isSupported) {
"MNI binding: Redirect is not supported for " + hostEntityID);
"unsupportedBinding"));
}
logError("nullDecodedStrFromSamlResponse",
throw new SAML2Exception(
}
if (debug.messageEnabled()) {
}
// Validate the RelayState URL.
hostRole);
try {
if (needToVerify) {
if (!valid) {
logError("invalidSignInResponse",
"invalidSignInResponse"));
}
}
// invoke SPAdapter for termination success
}
} catch (SessionException e) {
logError("invalidSSOToken",
throw new SAML2Exception(
}
if (debug.messageEnabled()) {
}
return success;
}
private static Status processManageNameIDRequest(
throws Exception {
if (debug.messageEnabled()) {
}
true);
if (oldNameIDInfo != null) {
}
// log manage name id failure
mniRequest.toXMLString(true, true));
}
// Terminate
} else {
}
}
// log termination failure
}
if (mniRequest.getTerminate()) {
// log termination success
userID);
}
// newID case
hostRole);
if (idpSession != null) {
// there are active session using this Name id
synchronized(IDPCache.idpSessionsByIndices) {
}
}
// log new name id success
}
// SP ROLE
if (spFedSessions != null) {
synchronized (spFedSessions) {
try {
} else {
}
}
} catch (SessionException ex) {
"processManageNameIDRequest:", ex);
}
}
}
}
}
// log new name id success
}
private static ManageNameIDResponse processManageNameIDRequest(
try {
realm);
realm);
}
} else {
}
} catch (Exception e) {
if (debug.messageEnabled()) {
}
e.toString());
}
try {
if (responseID == null) {
}
}
} catch (SAML2Exception e) {
}
// invoke SPAdapter for post temination success
}
return mniResponse;
}
throws SAML2Exception {
try {
// encode the xml string
.append(encodedXML);
}
if (debug.messageEnabled()) {
}
mniURL));
boolean needToSign = false;
} else {
}
if (needToSign) {
if (debug.messageEnabled()) {
"QueryString has need to be signed.");
}
}
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
relayState, ioe);
}
}
}
static private ManageNameIDRequest createManageNameIDRequest(
try {
} catch (SessionException e) {
"invalidSSOToken"));
}
if (debug.messageEnabled()) {
}
destination));
if (!changeID) {
mniRequest.setTerminate(true);
}
return mniRequest;
}
throws SAML2Exception {
if (debug.messageEnabled()) {
}
if (samlRequest == null) {
logError("nullManageIDRequest",
"nullManageIDRequest"));
}
return getMNIRequestFromPost(samlRequest);
} else {
if (decodedStr == null) {
logError("nullDecodedStrFromSamlRequest",
"nullDecodedStrFromSamlRequest"));
}
}
}
// This is the application code for handling the message.
throws SAML2Exception {
"ManageNameIDRequest");
return manageRequest;
}
static private void doMNIByHttpRedirect(
// encode the xml string
.append(encodedXML);
}
boolean needToSign = false;
} else {
}
if (needToSign) {
}
if (debug.messageEnabled()) {
}
}
static private boolean doMNIBySOAP(
boolean success = false;
if (debug.messageEnabled()) {
}
try {
true);
} catch (SOAPException se) {
return false;
}
"ManageNameIDResponse");
if (debug.messageEnabled()) {
if (mniResponse != null) {
} else {
}
}
if (mniResponse != null) {
try {
if (!validSign) {
logError("invalidSignInResponse",
throw new SAML2Exception(
}
// invoke SPAdapter for termination success, SP initied SOAP
}
} catch (SessionException e) {
throw new SAML2Exception(e.toString());
}
}
if (debug.messageEnabled()) {
}
return success;
}
boolean success = false;
hostRole);
logError("invalidInResponseToInResponse",
throw new SAML2Exception(
}
throw new SAML2Exception(
}
oldNameID.getSPNameQualifier(), true);
if (oldNameIDInfo == null) {
"not found.");
return false;
}
// Terminate
}
} else {
}
// log termination failure
userID);
return false;
}
if (origMniReq.getTerminate()) {
// log termination success
userID);
return true;
}
// newID case
createNameID();
if (spFedSessions != null) {
{
size());
}
}
try {
} else {
}
}
} catch (Exception e) {
}
createNameID();
if (idpSession != null) {
synchronized(IDPCache.idpSessionsByIndices) {
}
}
}
// log manage name id success
success = true;
} else {
}
return success;
}
private static ManageNameIDRequestInfo getMNIRequestInfo(
return (ManageNameIDRequestInfo)
return (ManageNameIDRequestInfo)
}
return null;
}
throws SAML2Exception {
if (affiliationID != null) {
"spNotAffiliationMember"));
}
} else {
remoteEntityID)) {
"spNotAffiliationMember"));
}
}
} else if (invalidAffiIDAllowed) {
} else {
"affiliationNotFound"));
}
} else {
}
return nameInfo;
}
}
private static ManageNameIDServiceElement getMNIServiceElement(
if (debug.messageEnabled()) {
}
} else {
logError("nullHostEntityRole",
throw new SAML2Exception(
}
return mniService;
}
if (nameIDInfo != null) {
if (debug.messageEnabled()) {
}
} else {
}
return nameID;
}
boolean needEncryptIt = false;
} else {
}
if (changeID) {
}
if (!needEncryptIt) {
if (debug.messageEnabled()) {
}
return;
}
} else {
}
if (debug.messageEnabled()) {
}
null);
"UnableToFindEncryptKeyInfo"));
}
// This non-encrypted NameID will be removed just
// after saveMNIRequestInfo and just before it send to
// This non-encrypted newID will be removed just
// after saveMNIRequestInfo and just before it send to
}
}
throws SAML2Exception {
if (!needDecryptIt) {
if (debug.messageEnabled()) {
"NamID doesn't need to be decrypted.");
"request is " + request);
}
}
return newID;
}
}
throws SAML2Exception {
if (!needDecryptIt) {
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
}
}
/**
* Returns first ManageNameID configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @param binding bind type need to has to be matched.
* @return <code>ManageNameIDServiceElement</code> for the entity or null
* @throws SAML2MetaException if unable to retrieve the first identity
* provider's SSO configuration.
* @throws SessionException invalid or expired single-sign-on session
*/
static public ManageNameIDServiceElement getIDPManageNameIDConfig(
throws SAML2MetaException, SessionException {
if (idpSSODesc == null) {
return null;
}
}
break;
}
}
}
return mni;
}
/**
* Returns first ManageNameID configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @param binding bind type need to has to be matched.
* @return <code>ManageNameIDServiceElement</code> for the entity or null
* @throws SAML2MetaException if unable to retrieve the first identity
* provider's SSO configuration.
* @throws SessionException invalid or expired single-sign-on session.
*/
static public ManageNameIDServiceElement getSPManageNameIDConfig(
throws SAML2MetaException, SessionException {
return null;
}
}
break;
}
}
}
return mni;
}
if (debug.messageEnabled()) {
}
} else {
if (debug.messageEnabled()) {
}
return null;
}
if (debug.messageEnabled()) {
"IDPCache.idpSessionsByIndices return null.");
}
return null;
}
while (keys.hasMoreElements()) {
if (idpSession != null) {
if (nameIDSPlist != null) {
// synchronize to avoid con-current modification
synchronized (nameIDSPlist) {
if (debug.messageEnabled()) {
}
return idpSession;
}
}
}
}
}
}
return null;
}
static private void removeInfoKeyFromSession(
}
if (infoKeyString == null) {
if (debug.messageEnabled()) {
}
return;
}
if (debug.messageEnabled()) {
+ infoKeyString);
}
while (st.hasMoreTokens()) {
continue;
}
}
}
if (debug.messageEnabled()) {
+ newInfoKey.toString());
}
if (debug.messageEnabled()) {
}
} else {
return;
}
}
relayState, mniURL);
}
"Unable to get a key provider instance.");
"nullKeyProvider"));
}
}
if (samlRequest == null) {
"MissingSAMLRequest",
"MissingSAMLRequest"));
}
"MetaAliasNotFound"));
}
boolean isSupported = false;
} else {
}
if (!isSupported) {
"MNI binding: POST is not supported for " + hostEntityID);
"unsupportedBinding"));
}
try {
}
}
} catch (SAML2Exception se) {
"nullDecodedStrFromSamlResponse",
"nullDecodedStrFromSamlResponse"));
} catch (Exception e) {
"nullDecodedStrFromSamlResponse",
" " + e.getMessage());
"nullDecodedStrFromSamlResponse"));
} finally {
try {
if (debug.messageEnabled()) {
}
}
}
}
if (mniRequest != null) {
if (remoteEntityID == null) {
"nullRemoteEntityID"));
}
if (debug.messageEnabled()) {
"Meta Alias is : "+ metaAlias);
"Host EntityID is : " + hostEntityID);
"Remote EntityID is : " + remoteEntityID);
}
if (!valid) {
logError("invalidSignInRequest",
"invalidSignInRequest"));
}
}
///common for post, redirect, soap
//send MNI Response by POST
try {
} catch (Exception e) {
throw new SAML2Exception("Error posting to target");
}
}
return;
}
if (samlResponse == null) {
"missingSAMLResponse"));
}
try {
}
}
} catch (SAML2Exception se) {
"nullDecodedStrFromSamlResponse"));
} catch (Exception e) {
"nullDecodedStrFromSamlResponse"));
} finally {
try {
if (debug.messageEnabled()) {
ie);
}
}
}
}
}
if (debug.messageEnabled()) {
}
return respStr;
}
throws SAML2Exception {
boolean success = false;
"MetaAliasNotFound"));
}
boolean isSupported = false;
} else {
}
if (!isSupported) {
"MNI binding: POST is not supported for " + hostEntityID);
"unsupportedBinding"));
}
logError("nullDecodedStrFromSamlResponse",
"nullDecodedStrFromSamlResponse"));
}
if (debug.messageEnabled()) {
"Meta Alias is : "+ metaAlias);
"Host role is : " + hostRole);
"Relay state is : " + relayState);
"MNI Response : " + mniResStr);
}
// Validate the RelayState URL.
hostRole);
try {
if (needToVerify) {
if (!valid) {
logError("invalidSignInResponse",
"invalidSignInResponse"));
}
}
hostRole, new StringBuffer());
} catch (SessionException e) {
"invalidSSOToken"));
}
if (debug.messageEnabled()) {
"Request success : " + success);
}
return success;
}
throws SAML2Exception {
try {
}
}
} catch (SAML2Exception se) {
"nullDecodedStrFromSamlResponse"));
} catch (Exception e) {
"nullDecodedStrFromSamlResponse"));
} finally {
try {
if (debug.messageEnabled()) {
ie);
}
}
}
}
return mniReq;
}
}