FAMSTSAttributeProvider.java revision 4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1c
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: FAMSTSAttributeProvider.java,v 1.22 2010/01/15 18:54:35 mrudul_uchil Exp $
*
*/
/**
* The STS attribute provider is used to retrieve an authenticated user or
* profile attributes and gives it to the assertion generator so that
* these attributes could be part of SAML attribute statements.
*
* The attribute checks first if the end user's SSOToken is present in the
* <code>OnBehalfOf</code> element in the WS-Trust request and generates
* SAML Attributes from the user profile. This is the case usually if the STS
* and web services client is deployed locally on the same or trusted Federal
* OpenSSO instances. If not, it tries to retrieve the web services
* client profile attributes if it exists.
*/
public class FAMSTSAttributeProvider implements STSAttributeProvider {
protected static SSOTokenManager tokenManager;
/**
* Returns all claimed attributes for a given subject.
*/
try {
} catch (FAMSTSException fse) {
+ " getSubjectNameFromCustomToken failed : ", fse);
return null;
}
if(subjectName == null) {
"Attributes: subject is null from 'On Behalf Of' OR Custom token");
}
}
if(subjectName == null) {
"Attributes: subject is null from authenticated subject");
}
if(object instanceof X509Certificate) {
} else if (object instanceof XMLStreamReader) {
//To create a DOM Element representing the Assertion :
try {
+ "Attributes: assertion validation failed");
}
}
}
}
if(subjectName == null) {
"Attributes: subject from X509certificate is null" +
" Checking in subject principals");
}
if (principals != null){
} else {
}
break;
}
}
}
"Attributes: subjectName : " + subjectName);
}
if(subjectName == null) {
" Subject could not found.");
return null;
}
data,
null);
} else {
}
}
}
}
" Agent configuration not defined for " + appliesTo);
return attrs;
}
}
if(samlAttributeMap != null) {
}
//Adding the attributes from authenticated SAML Assertion to the
//newly created assertion.
}
}
if(includeMemberships){
}
}
}
null);
return attrs;
}
if(agentConfig == null) {
return userName;
}
if(nameIDImpl == null) {
return userName;
}
}
/**
* Returns end user's principal if OpenSSO Token is present or
* any other custom token, otherwise returns null.
*/
try {
new STSClientUserToken(credential);
return validator.getSubjectName();
return validator.getSubjectName();
} else {
return null;
}
} else {
return null;
}
} catch (FAMSTSException fae) {
"SubjectNameFromCustomToken: FAMException", fae);
}
} catch (SSOException se) {
"SubjectNameFromCustomToken: SSOException", se);
}
} catch (SecurityException sec) {
"SubjectNameFromCustomToken: SecurityException", sec);
}
}
} else {
try {
return userToken.getPrincipalName();
//The element could be anything not necessarily
// OBOToken.
}
}
}
}
}
}
return null;
}
/**
* Returns the principal from the authenticated Subject if available
* through private credentials
* @param subject authenticated subject
* @return the authenticated principal name
*/
try {
}
}
}
return null;
}
});
} catch (Exception e) {
"Subject: Priveleged exception error", e);
return null;
}
try {
}
} catch (SSOException se) {
"Subject: SSOException", se);
}
return null;
}
//To create a DOM Element representing the Assertion :
try {
//samlAssertionE = SAMLUtil.createSAMLAssertion(reader);
namespace)) {
} else if (
}
}
+ " failed : ", ex);
}
}
try {
+ " getClaimNames: ", ex);
// ignore
}
}
}
}
return claimNames;
}
/**
* Check if agent token ID is appended to the token string.
* if yes, we use it as a restriction context. This is meant
* for cookie hijacking feature where agent appends the agent token ID
* to the user sso token before sending it over to the server for
* validation.
*/
throws SSOException {
"false")).booleanValue();
if (tokenManager == null) {
}
if (!useAppToken) {
}
try {
new RestrictedTokenAction() {
}
});
} catch (SSOException e) {
} catch (Exception e) {
}
return stoken;
}
}