spSingleLogoutInit.jsp revision 881ea1b9f1a22a7d7bf65c6c2bf46ca282641f82
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%--
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
3e14f97f673e8a630f076077de35afdd43dc1587Roger A. Faulkner Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The contents of this file are subject to the terms
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin of the Common Development and Distribution License
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (the License). You may not use this file except in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin compliance with the License.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin You can obtain a copy of the License at
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin https://opensso.dev.java.net/public/CDDLv1.0.html or
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin opensso/legal/CDDLv1.0.txt
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin See the License for the specific language governing
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin permission and limitations under the License.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When distributing Covered Code, include this CDDL
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Header Notice in each file and include the License file
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin at opensso/legal/CDDLv1.0.txt.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If applicable, add the following below the CDDL Header,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin with the fields enclosed by brackets [] replaced by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin your own identifying information:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin "Portions Copyrighted [year] [name of copyright owner]"
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin $Id: spSingleLogoutInit.jsp,v 1.13 2009/10/15 00:01:11 exu Exp $
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin--%>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%--
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Portions Copyrighted 2012-2013 ForgeRock AS
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin--%>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.plugin.session.SessionManager" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.plugin.session.SessionException" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.profile.LogoutUtil" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="com.sun.identity.saml2.profile.SPSingleLogout" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="java.util.HashMap" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="java.util.List" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%@ page import="org.owasp.esapi.ESAPI" %>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<%--
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin spSingleLogoutInit.jsp
- initiates the LogoutRequest at the Service Provider.
Required parameters to this jsp are :
"binding" - binding used for this request
"NameIDValue" - NameID value for the user. Required in fedlet case.
"SessionIndex" - Session that has this sessionIndex is to be single logout.
Required in fedlet case.
"idpEntityID" - Identifier for identity provider. Required for fedlet case.
If binding is not set, this parameter is used to find the
default binding.
Some of the other optional parameters are :
"RelayState" - the target URL on successful Single Logout
"goto" - the target URL on successful Single Logout.
"RelayState" takes precedence to "goto" parameter.
"Destination" - A URI Reference indicating the address to
which the request has been sent.
"Consent" - Specifies a URI a SAML defined identifier
known as Consent Identifiers.
"Extension" - Specifies a list of Extensions as list of
String objects.
"spEntityID" - Fedlet's entity ID. Used in fedlet case. When it is missing,
first sp from metadata is used.
Check the SAML2 Documentation for supported parameters.
--%>
<%
// Retrieves the Request Query Parameters
// Binding are the required query parameters
// binding - binding used for this request
try {
String RelayState = request.getParameter(SAML2Constants.RELAY_STATE);
if (!ESAPI.validator().isValidInput("HTTP Query String: " + RelayState,
RelayState, "HTTPQueryString", 2000, true)){
RelayState = null;
}
if (RelayState == null || RelayState.isEmpty()) {
RelayState = request.getParameter(SAML2Constants.GOTO);
}
if (!ESAPI.validator().isValidInput("HTTP Query String: " + RelayState, RelayState, "HTTPQueryString", 1024, true)) {
RelayState = null;
}
String metaAlias = null;
Object ssoToken = null;
try {
ssoToken = SessionManager.getProvider().getSession(request);
} catch (SessionException se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("No session.");
}
ssoToken = null;
}
String spEntityID = null;
SAML2MetaManager manager = new SAML2MetaManager();
if (!SPCache.isFedlet) {
if (ssoToken == null) {
//There is no local session, so we can't perform the logout on the IdP,
//let's just return with HTTP 200
if (RelayState != null && !RelayState.isEmpty() &&
SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE) &&
ESAPI.validator().isValidInput("HTTP URL Parameter: " + RelayState, RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
} else {
%>
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
<%
}
return;
}
String[] values = SessionManager.getProvider().
getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
if (values != null && values.length > 0) {
metaAlias = values[0];
}
} else {
spEntityID = request.getParameter("spEntityID");
if ((spEntityID == null) || (spEntityID.length() == 0)) {
List spMetaAliases =
manager.getAllHostedServiceProviderMetaAliases("/");
if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
// get first one
metaAlias = (String) spMetaAliases.get(0);
}
} else {
SPSSOConfigElement spConfig =
manager.getSPSSOConfig("/", spEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
}
if (metaAlias == null) {
try {
SessionManager.getProvider().invalidateSession(
ssoToken, request, response);
} catch (SessionException se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("No session.");
}
}
if (RelayState != null && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE) &&
ESAPI.validator().isValidInput("HTTP URL Parameter: " + RelayState, RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
} else {
%>
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
<%
}
return;
}
String idpEntityID = request.getParameter("idpEntityID");
String binding = LogoutUtil.getSLOBindingInfo(request, metaAlias,
SAML2Constants.SP_ROLE, idpEntityID);
if (spEntityID == null) {
spEntityID = manager.getEntityByMetaAlias(metaAlias);
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
if (!SAML2Utils.isSPProfileBindingSupported(
realm, spEntityID, SAML2Constants.SLO_SERVICE, binding))
{
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"unsupportedBinding",
SAML2Utils.bundle.getString("unsupportedBinding"));
return;
}
/**
* Parses the request parameters and builds the Logout
* Request to be sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias metaAlias of Service Provider. The format of
* this parameter is /realm_name/SP_name.
* @param binding binding used for this request.
* @param paramsMap Map of all other parameters.
* Following parameters names with their respective
* String values are allowed in this paramsMap.
* "RelayState" - the target URL on successful Single Logout
* "Destination" - A URI Reference indicating the address to
* which the request has been sent.
* "Consent" - Specifies a URI a SAML defined identifier
* known as Consent Identifiers.
* "Extension" - Specifies a list of Extensions as list of
* String objects.
* @throws SAML2Exception if error initiating request to IDP.
*/
HashMap paramsMap = new HashMap();
if (SPCache.isFedlet) {
String sessionIndex = request.getParameter("SessionIndex");
if ((sessionIndex == null) || (sessionIndex.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"nullSessionIndex",
SAML2Utils.bundle.getString("nullSessionIndex"));
return;
} else {
paramsMap.put("SessionIndex", sessionIndex);
}
String nameID = request.getParameter("NameIDValue");
if ((nameID == null) || (nameID.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"nullNameID",
SAML2Utils.bundle.getString("nullNameID"));
return;
} else {
if (spEntityID == null) {
if (manager == null) {
manager = new SAML2MetaManager();
}
spEntityID = manager.getEntityByMetaAlias(metaAlias);
}
if (idpEntityID == null) {
SAMLUtils.sendError(request, response,
response.SC_BAD_REQUEST,
"nullIDPEntityID",
SAML2Utils.bundle.getString("nullIDPEntityID"));
return;
}
paramsMap.put(
"infoKey", spEntityID+ "|" + idpEntityID + "|" + nameID);
}
}
paramsMap.put("metaAlias", metaAlias);
paramsMap.put("idpEntityID", idpEntityID);
paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
paramsMap.put(SAML2Constants.BINDING, binding);
paramsMap.put("Destination", request.getParameter("Destination"));
paramsMap.put("Consent", request.getParameter("Consent"));
paramsMap.put("Extension", request.getParameter("Extension"));
if (RelayState == null || RelayState.isEmpty()) {
RelayState = SAML2Utils.getAttributeValueFromSSOConfig(
realm, spEntityID, SAML2Constants.SP_ROLE,
SAML2Constants.DEFAULT_RELAY_STATE);
}
if (RelayState != null) {
paramsMap.put(SAML2Constants.RELAY_STATE, RelayState);
}
String sessionIndex = request.getParameter("sessionIndex");
SPSingleLogout.initiateLogoutRequest( request,response,
binding,paramsMap);
if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
if (RelayState != null && !RelayState.isEmpty() &&
SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE) &&
ESAPI.validator().isValidInput("HTTP URL: " + RelayState, RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
} else {
%>
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
<%
}
}
} catch (SAML2Exception sse) {
SAML2Utils.debug.error("Error sending Logout Request " , sse);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"LogoutRequestCreationError",
SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
sse.getMessage());
return;
} catch (Exception e) {
SAML2Utils.debug.error("Error initializing Request ",e);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"LogoutRequestCreationError",
SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
e.getMessage());
return;
}
%>