spSingleLogoutInit.jsp revision 93884f14ebc35fbfaef3d70d4d69003d06891524
2N/A<%--
2N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
2N/A
2N/A Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
2N/A
2N/A The contents of this file are subject to the terms
2N/A of the Common Development and Distribution License
2N/A (the License). You may not use this file except in
2N/A compliance with the License.
2N/A
2N/A You can obtain a copy of the License at
2N/A https://opensso.dev.java.net/public/CDDLv1.0.html or
2N/A opensso/legal/CDDLv1.0.txt
2N/A See the License for the specific language governing
2N/A permission and limitations under the License.
2N/A
2N/A When distributing Covered Code, include this CDDL
2N/A Header Notice in each file and include the License file
2N/A at opensso/legal/CDDLv1.0.txt.
2N/A If applicable, add the following below the CDDL Header,
2N/A with the fields enclosed by brackets [] replaced by
2N/A your own identifying information:
2N/A "Portions Copyrighted [year] [name of copyright owner]"
2N/A
2N/A $Id: spSingleLogoutInit.jsp,v 1.13 2009/10/15 00:01:11 exu Exp $
2N/A
2N/A Portions Copyrighted 2012-2015 ForgeRock AS.
2N/A--%>
2N/A
2N/A<%@ page import="com.sun.identity.plugin.session.SessionManager" %>
2N/A<%@ page import="com.sun.identity.plugin.session.SessionException" %>
2N/A<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
2N/A<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
2N/A<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
2N/A<%@ page import="com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement" %>
2N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
2N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
2N/A<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
2N/A<%@ page import="com.sun.identity.saml2.profile.LogoutUtil" %>
2N/A<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
2N/A<%@ page import="com.sun.identity.saml2.profile.SPSingleLogout" %>
2N/A<%@ page import="java.util.HashMap" %>
2N/A<%@ page import="java.util.List" %>
2N/A<%@ page import="org.owasp.esapi.ESAPI" %>
2N/A<%@ page import="java.io.PrintWriter" %>
2N/A<%@ page import="org.forgerock.guice.core.InjectorHolder" %>
2N/A<%@ page import="org.forgerock.openam.audit.AuditEventPublisher" %>
2N/A<%@ page import="org.forgerock.openam.saml2.audit.SAML2Auditor" %>
2N/A<%@ page import="org.forgerock.openam.audit.AuditEventFactory" %>
2N/A
2N/A<%--
2N/A spSingleLogoutInit.jsp
2N/A - initiates the LogoutRequest at the Service Provider.
2N/A
2N/A Required parameters to this jsp are :
2N/A "binding" - binding used for this request
2N/A "NameIDValue" - NameID value for the user. Required in fedlet case.
2N/A "SessionIndex" - Session that has this sessionIndex is to be single logout.
2N/A Required in fedlet case.
2N/A "idpEntityID" - Identifier for identity provider. Required for fedlet case.
2N/A If binding is not set, this parameter is used to find the
2N/A default binding.
2N/A
2N/A Some of the other optional parameters are :
2N/A "RelayState" - the target URL on successful Single Logout
2N/A "goto" - the target URL on successful Single Logout.
2N/A "RelayState" takes precedence to "goto" parameter.
2N/A "Destination" - A URI Reference indicating the address to
2N/A which the request has been sent.
2N/A "Consent" - Specifies a URI a SAML defined identifier
2N/A known as Consent Identifiers.
2N/A "Extension" - Specifies a list of Extensions as list of
2N/A String objects.
2N/A "spEntityID" - Fedlet's entity ID. Used in fedlet case. When it is missing,
2N/A first sp from metadata is used.
2N/A Check the SAML2 Documentation for supported parameters.
2N/A--%>
2N/A
2N/A<%
2N/A AuditEventPublisher aep = InjectorHolder.getInstance(AuditEventPublisher.class);
2N/A AuditEventFactory aef = InjectorHolder.getInstance(AuditEventFactory.class);
2N/A SAML2Auditor saml2Auditor = new SAML2Auditor(aep, aef, request);
2N/A
2N/A saml2Auditor.setMethod("spSingleLogoutInit");
2N/A saml2Auditor.setRealm(SAML2Utils.getRealm(request.getParameterMap()));
2N/A saml2Auditor.setSessionTrackingId(session.getId());
2N/A saml2Auditor.auditAccessAttempt();
2N/A
2N/A // Retrieves the Request Query Parameters
2N/A // Binding are the required query parameters
2N/A // binding - binding used for this request
2N/A
2N/A try {
2N/A String RelayState = request.getParameter(SAML2Constants.RELAY_STATE);
2N/A if (RelayState == null || RelayState.isEmpty()) {
2N/A RelayState = request.getParameter(SAML2Constants.GOTO);
2N/A }
2N/A if (!ESAPI.validator().isValidInput("RelayState", RelayState, "HTTPQueryString", 2000, true)) {
2N/A RelayState = null;
2N/A }
2N/A
2N/A String metaAlias = null;
2N/A
2N/A Object ssoToken = null;
2N/A try {
2N/A ssoToken = SessionManager.getProvider().getSession(request);
2N/A saml2Auditor.setSSOTokenId(ssoToken);
2N/A } catch (SessionException se) {
2N/A if (SAML2Utils.debug.messageEnabled()) {
2N/A SAML2Utils.debug.message("No session.");
2N/A }
2N/A ssoToken = null;
2N/A }
2N/A
2N/A String spEntityID = null;
2N/A SAML2MetaManager manager = new SAML2MetaManager();
2N/A if (!SPCache.isFedlet) {
2N/A if (ssoToken == null) {
2N/A //There is no local session, so we can't perform the logout on the IdP,
2N/A //let's just return with HTTP 200
2N/A if (RelayState != null && !RelayState.isEmpty()
2N/A && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
2N/A && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
2N/A saml2Auditor.auditAccessSuccess();
2N/A response.sendRedirect(RelayState);
2N/A } else {
2N/A saml2Auditor.auditAccessSuccess();
2N/A %>
2N/A <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
2N/A <%
2N/A }
2N/A return;
2N/A }
2N/A String[] values = SessionManager.getProvider().
2N/A getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
2N/A if (values != null && values.length > 0) {
2N/A metaAlias = values[0];
2N/A }
2N/A } else {
2N/A saml2Auditor.setSSOTokenId(ssoToken);
2N/A
2N/A spEntityID = request.getParameter("spEntityID");
2N/A if ((spEntityID == null) || (spEntityID.length() == 0)) {
2N/A List spMetaAliases =
2N/A manager.getAllHostedServiceProviderMetaAliases("/");
2N/A if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
2N/A // get first one
2N/A metaAlias = (String) spMetaAliases.get(0);
2N/A }
2N/A } else {
2N/A SPSSOConfigElement spConfig =
2N/A manager.getSPSSOConfig("/", spEntityID);
2N/A if (spConfig != null) {
2N/A metaAlias = spConfig.getMetaAlias();
2N/A }
2N/A }
2N/A }
2N/A if (metaAlias == null) {
2N/A try {
2N/A SessionManager.getProvider().invalidateSession(ssoToken, request, response);
2N/A } catch (SessionException se) {
2N/A if (SAML2Utils.debug.messageEnabled()) {
2N/A SAML2Utils.debug.message("No session.");
2N/A }
2N/A }
2N/A if (RelayState != null && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
2N/A && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
2N/A saml2Auditor.auditAccessSuccess();
2N/A response.sendRedirect(RelayState);
2N/A } else {
2N/A saml2Auditor.auditAccessSuccess();
2N/A %>
2N/A <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
2N/A <%
2N/A }
2N/A return;
2N/A }
2N/A
2N/A String idpEntityID = request.getParameter("idpEntityID");
2N/A String binding = LogoutUtil.getSLOBindingInfo(request, metaAlias,
2N/A SAML2Constants.SP_ROLE, idpEntityID);
2N/A if (spEntityID == null) {
2N/A spEntityID = manager.getEntityByMetaAlias(metaAlias);
2N/A }
2N/A String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
2N/A
2N/A /**
2N/A * Parses the request parameters and builds the Logout
2N/A * Request to be sent to the IDP.
2N/A *
2N/A * @param request the HttpServletRequest.
2N/A * @param response the HttpServletResponse.
2N/A * @param metaAlias metaAlias of Service Provider. The format of
2N/A * this parameter is /realm_name/SP_name.
2N/A * @param binding binding used for this request.
2N/A * @param paramsMap Map of all other parameters.
2N/A * Following parameters names with their respective
2N/A * String values are allowed in this paramsMap.
2N/A * "RelayState" - the target URL on successful Single Logout
2N/A * "Destination" - A URI Reference indicating the address to
2N/A * which the request has been sent.
2N/A * "Consent" - Specifies a URI a SAML defined identifier
2N/A * known as Consent Identifiers.
2N/A * "Extension" - Specifies a list of Extensions as list of
2N/A * String objects.
2N/A * @throws SAML2Exception if error initiating request to IDP.
2N/A */
2N/A HashMap paramsMap = new HashMap();
2N/A if (SPCache.isFedlet) {
2N/A String sessionIndex = request.getParameter("SessionIndex");
2N/A if ((sessionIndex == null) || (sessionIndex.length() == 0)) {
2N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
2N/A "nullSessionIndex",
2N/A SAML2Utils.bundle.getString("nullSessionIndex"));
2N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
2N/A SAML2Utils.bundle.getString("nullSessionIndex"));
2N/A return;
2N/A } else {
2N/A paramsMap.put("SessionIndex", sessionIndex);
2N/A }
2N/A String nameID = request.getParameter("NameIDValue");
2N/A if ((nameID == null) || (nameID.length() == 0)) {
2N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
2N/A "nullNameID",
2N/A SAML2Utils.bundle.getString("nullNameID"));
2N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
2N/A SAML2Utils.bundle.getString("nullNameID"));
2N/A return;
2N/A } else {
2N/A if (spEntityID == null) {
2N/A if (manager == null) {
2N/A manager = new SAML2MetaManager();
2N/A }
2N/A spEntityID = manager.getEntityByMetaAlias(metaAlias);
2N/A }
2N/A if (idpEntityID == null) {
2N/A SAMLUtils.sendError(request, response,
2N/A response.SC_BAD_REQUEST,
2N/A "nullIDPEntityID",
2N/A SAML2Utils.bundle.getString("nullIDPEntityID"));
2N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
2N/A SAML2Utils.bundle.getString("nullIDPEntityID"));
2N/A return;
2N/A }
2N/A paramsMap.put(
2N/A "infoKey", spEntityID+ "|" + idpEntityID + "|" + nameID);
2N/A }
2N/A
2N/A }
2N/A paramsMap.put("metaAlias", metaAlias);
2N/A paramsMap.put("idpEntityID", idpEntityID);
2N/A paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
2N/A paramsMap.put(SAML2Constants.BINDING, binding);
2N/A paramsMap.put("Destination", request.getParameter("Destination"));
2N/A paramsMap.put("Consent", request.getParameter("Consent"));
2N/A paramsMap.put("Extension", request.getParameter("Extension"));
2N/A if (RelayState == null || RelayState.isEmpty()) {
2N/A RelayState = SAML2Utils.getAttributeValueFromSSOConfig(
2N/A realm, spEntityID, SAML2Constants.SP_ROLE,
2N/A SAML2Constants.DEFAULT_RELAY_STATE);
2N/A }
2N/A if (RelayState != null) {
2N/A paramsMap.put(SAML2Constants.RELAY_STATE, RelayState);
2N/A }
2N/A
2N/A SPSingleLogout.initiateLogoutRequest(
2N/A request, response, new PrintWriter(out, true), binding, paramsMap, saml2Auditor);
2N/A saml2Auditor.auditAccessSuccess();
2N/A
2N/A if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
2N/A if (RelayState != null && !RelayState.isEmpty()
2N/A && SAML2Utils.isRelayStateURLValid(metaAlias, RelayState, SAML2Constants.SP_ROLE)
2N/A && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
2N/A response.sendRedirect(RelayState);
2N/A } else {
2N/A %>
2N/A <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
2N/A <%
2N/A }
2N/A }
2N/A } catch (SAML2Exception sse) {
2N/A SAML2Utils.debug.error("Error sending Logout Request " , sse);
2N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "LogoutRequestCreationError",
2N/A SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " + sse.getMessage());
2N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
2N/A SAML2Utils.bundle.getString("LogoutRequestCreationError"));
2N/A return;
2N/A } catch (Exception e) {
2N/A SAML2Utils.debug.error("Error initializing Request ",e);
2N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "LogoutRequestCreationError",
2N/A SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " + e.getMessage());
2N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
2N/A SAML2Utils.bundle.getString("LogoutRequestCreationError"));
2N/A return;
2N/A }
2N/A%>
2N/A