spSingleLogoutInit.jsp revision 2075f399f27e30aaf713035e00b82e75bbb58f4c
0N/A<%--
0N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
0N/A
426N/A Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
0N/A
0N/A The contents of this file are subject to the terms
0N/A of the Common Development and Distribution License
0N/A (the License). You may not use this file except in
0N/A compliance with the License.
0N/A
0N/A You can obtain a copy of the License at
0N/A https://opensso.dev.java.net/public/CDDLv1.0.html or
0N/A opensso/legal/CDDLv1.0.txt
0N/A See the License for the specific language governing
0N/A permission and limitations under the License.
0N/A
0N/A When distributing Covered Code, include this CDDL
0N/A Header Notice in each file and include the License file
0N/A at opensso/legal/CDDLv1.0.txt.
0N/A If applicable, add the following below the CDDL Header,
0N/A with the fields enclosed by brackets [] replaced by
0N/A your own identifying information:
0N/A "Portions Copyrighted [year] [name of copyright owner]"
0N/A
0N/A $Id: spSingleLogoutInit.jsp,v 1.13 2009/10/15 00:01:11 exu Exp $
0N/A
0N/A--%>
426N/A<%--
426N/A Portions Copyrighted 2012-2014 ForgeRock AS
426N/A--%>
0N/A
0N/A<%@ page import="com.sun.identity.plugin.session.SessionManager" %>
426N/A<%@ page import="com.sun.identity.plugin.session.SessionException" %>
426N/A<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
426N/A<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
426N/A<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
426N/A<%@ page import="com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement" %>
426N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
426N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
426N/A<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
426N/A<%@ page import="com.sun.identity.saml2.profile.LogoutUtil" %>
426N/A<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
0N/A<%@ page import="com.sun.identity.saml2.profile.SPSingleLogout" %>
0N/A<%@ page import="java.util.HashMap" %>
0N/A<%@ page import="java.util.List" %>
0N/A<%@ page import="org.owasp.esapi.ESAPI" %>
0N/A
0N/A
0N/A
0N/A<%--
0N/A spSingleLogoutInit.jsp
0N/A - initiates the LogoutRequest at the Service Provider.
0N/A
0N/A Required parameters to this jsp are :
426N/A "binding" - binding used for this request
0N/A "NameIDValue" - NameID value for the user. Required in fedlet case.
0N/A "SessionIndex" - Session that has this sessionIndex is to be single logout.
0N/A Required in fedlet case.
0N/A "idpEntityID" - Identifier for identity provider. Required for fedlet case.
0N/A If binding is not set, this parameter is used to find the
0N/A default binding.
0N/A
0N/A Some of the other optional parameters are :
0N/A "RelayState" - the target URL on successful Single Logout
0N/A "goto" - the target URL on successful Single Logout.
0N/A "RelayState" takes precedence to "goto" parameter.
0N/A "Destination" - A URI Reference indicating the address to
0N/A which the request has been sent.
0N/A "Consent" - Specifies a URI a SAML defined identifier
426N/A known as Consent Identifiers.
0N/A "Extension" - Specifies a list of Extensions as list of
0N/A String objects.
0N/A "spEntityID" - Fedlet's entity ID. Used in fedlet case. When it is missing,
0N/A first sp from metadata is used.
0N/A Check the SAML2 Documentation for supported parameters.
0N/A--%>
0N/A
0N/A<%
0N/A // Retrieves the Request Query Parameters
0N/A // Binding are the required query parameters
0N/A // binding - binding used for this request
0N/A
0N/A try {
0N/A String RelayState = request.getParameter(SAML2Constants.RELAY_STATE);
0N/A if (RelayState == null || RelayState.isEmpty()) {
426N/A RelayState = request.getParameter(SAML2Constants.GOTO);
0N/A }
0N/A if (!ESAPI.validator().isValidInput("RelayState", RelayState, "HTTPQueryString", 2000, true)) {
0N/A RelayState = null;
0N/A }
0N/A
0N/A String metaAlias = null;
0N/A
0N/A Object ssoToken = null;
0N/A try {
0N/A ssoToken = SessionManager.getProvider().getSession(request);
0N/A } catch (SessionException se) {
0N/A if (SAML2Utils.debug.messageEnabled()) {
0N/A SAML2Utils.debug.message("No session.");
0N/A }
426N/A ssoToken = null;
0N/A }
0N/A
0N/A String spEntityID = null;
426N/A SAML2MetaManager manager = new SAML2MetaManager();
426N/A if (!SPCache.isFedlet) {
426N/A if (ssoToken == null) {
426N/A //There is no local session, so we can't perform the logout on the IdP,
426N/A //let's just return with HTTP 200
426N/A if (RelayState != null && !RelayState.isEmpty()
426N/A && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
426N/A && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
426N/A response.sendRedirect(RelayState);
0N/A } else {
426N/A %>
0N/A <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
0N/A <%
0N/A }
0N/A return;
0N/A }
0N/A String[] values = SessionManager.getProvider().
0N/A getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
0N/A if (values != null && values.length > 0) {
0N/A metaAlias = values[0];
0N/A }
0N/A } else {
0N/A spEntityID = request.getParameter("spEntityID");
426N/A if ((spEntityID == null) || (spEntityID.length() == 0)) {
0N/A List spMetaAliases =
0N/A manager.getAllHostedServiceProviderMetaAliases("/");
0N/A if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
0N/A // get first one
0N/A metaAlias = (String) spMetaAliases.get(0);
0N/A }
0N/A } else {
0N/A SPSSOConfigElement spConfig =
0N/A manager.getSPSSOConfig("/", spEntityID);
0N/A if (spConfig != null) {
426N/A metaAlias = spConfig.getMetaAlias();
426N/A }
0N/A }
0N/A }
0N/A if (metaAlias == null) {
0N/A try {
0N/A SessionManager.getProvider().invalidateSession(
0N/A ssoToken, request, response);
0N/A } catch (SessionException se) {
0N/A if (SAML2Utils.debug.messageEnabled()) {
0N/A SAML2Utils.debug.message("No session.");
0N/A }
0N/A }
0N/A if (RelayState != null && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
0N/A && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
0N/A response.sendRedirect(RelayState);
0N/A } else {
0N/A %>
426N/A <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
0N/A <%
0N/A }
0N/A return;
0N/A }
0N/A
0N/A String idpEntityID = request.getParameter("idpEntityID");
0N/A String binding = LogoutUtil.getSLOBindingInfo(request, metaAlias,
0N/A SAML2Constants.SP_ROLE, idpEntityID);
0N/A if (spEntityID == null) {
0N/A spEntityID = manager.getEntityByMetaAlias(metaAlias);
0N/A }
426N/A String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
426N/A if (!SAML2Utils.isSPProfileBindingSupported(
426N/A realm, spEntityID, SAML2Constants.SLO_SERVICE, binding))
426N/A {
426N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
426N/A "unsupportedBinding",
0N/A SAML2Utils.bundle.getString("unsupportedBinding"));
0N/A return;
0N/A }
0N/A
0N/A /**
0N/A * Parses the request parameters and builds the Logout
0N/A * Request to be sent to the IDP.
0N/A *
0N/A * @param request the HttpServletRequest.
0N/A * @param response the HttpServletResponse.
0N/A * @param metaAlias metaAlias of Service Provider. The format of
0N/A * this parameter is /realm_name/SP_name.
0N/A * @param binding binding used for this request.
0N/A * @param paramsMap Map of all other parameters.
0N/A * Following parameters names with their respective
0N/A * String values are allowed in this paramsMap.
0N/A * "RelayState" - the target URL on successful Single Logout
0N/A * "Destination" - A URI Reference indicating the address to
0N/A * which the request has been sent.
0N/A * "Consent" - Specifies a URI a SAML defined identifier
0N/A * known as Consent Identifiers.
0N/A * "Extension" - Specifies a list of Extensions as list of
0N/A * String objects.
0N/A * @throws SAML2Exception if error initiating request to IDP.
0N/A */
0N/A HashMap paramsMap = new HashMap();
0N/A if (SPCache.isFedlet) {
0N/A String sessionIndex = request.getParameter("SessionIndex");
0N/A if ((sessionIndex == null) || (sessionIndex.length() == 0)) {
0N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
0N/A "nullSessionIndex",
0N/A SAML2Utils.bundle.getString("nullSessionIndex"));
0N/A return;
0N/A } else {
0N/A paramsMap.put("SessionIndex", sessionIndex);
0N/A }
0N/A String nameID = request.getParameter("NameIDValue");
0N/A if ((nameID == null) || (nameID.length() == 0)) {
426N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
426N/A "nullNameID",
0N/A SAML2Utils.bundle.getString("nullNameID"));
0N/A return;
0N/A } else {
0N/A if (spEntityID == null) {
0N/A if (manager == null) {
0N/A manager = new SAML2MetaManager();
0N/A }
0N/A spEntityID = manager.getEntityByMetaAlias(metaAlias);
0N/A }
0N/A if (idpEntityID == null) {
0N/A SAMLUtils.sendError(request, response,
0N/A response.SC_BAD_REQUEST,
0N/A "nullIDPEntityID",
0N/A SAML2Utils.bundle.getString("nullIDPEntityID"));
0N/A return;
0N/A }
0N/A paramsMap.put(
0N/A "infoKey", spEntityID+ "|" + idpEntityID + "|" + nameID);
0N/A }
0N/A
0N/A }
0N/A paramsMap.put("metaAlias", metaAlias);
0N/A paramsMap.put("idpEntityID", idpEntityID);
0N/A paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
0N/A paramsMap.put(SAML2Constants.BINDING, binding);
0N/A paramsMap.put("Destination", request.getParameter("Destination"));
0N/A paramsMap.put("Consent", request.getParameter("Consent"));
0N/A paramsMap.put("Extension", request.getParameter("Extension"));
0N/A if (RelayState == null || RelayState.isEmpty()) {
0N/A RelayState = SAML2Utils.getAttributeValueFromSSOConfig(
0N/A realm, spEntityID, SAML2Constants.SP_ROLE,
0N/A SAML2Constants.DEFAULT_RELAY_STATE);
0N/A }
426N/A if (RelayState != null) {
0N/A paramsMap.put(SAML2Constants.RELAY_STATE, RelayState);
0N/A }
0N/A
426N/A String sessionIndex = request.getParameter("sessionIndex");
426N/A SPSingleLogout.initiateLogoutRequest( request,response,
426N/A binding,paramsMap);
426N/A
0N/A if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
0N/A if (RelayState != null && !RelayState.isEmpty()
0N/A && SAML2Utils.isRelayStateURLValid(metaAlias, RelayState, SAML2Constants.SP_ROLE)
0N/A && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
0N/A response.sendRedirect(RelayState);
0N/A } else {
0N/A %>
0N/A <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
0N/A <%
0N/A }
0N/A }
0N/A } catch (SAML2Exception sse) {
0N/A SAML2Utils.debug.error("Error sending Logout Request " , sse);
0N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
0N/A "LogoutRequestCreationError",
0N/A SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
0N/A sse.getMessage());
0N/A return;
0N/A } catch (Exception e) {
0N/A SAML2Utils.debug.error("Error initializing Request ",e);
0N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
0N/A "LogoutRequestCreationError",
0N/A SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
0N/A e.getMessage());
0N/A return;
0N/A }
0N/A%>
0N/A