a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: FSSSOBrowserArtifactProfileHandler.java,v 1.6 2008/12/19 06:50:46 exu Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper/*
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper * Portions Copyrighted 2013 ForgeRock, Inc.
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper */
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.federation.services.fednsso;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSAssertionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.util.FSServiceUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSSAMLRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAssertionArtifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.IFSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.LogUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.key.KeyUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Conditions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AudienceRestrictionCondition;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.StatusCode;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.Request;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.Status;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.AssertionArtifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLResponderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeperimport org.forgerock.openam.utils.ClientUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPMessage;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.cert.X509Certificate;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Set;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Iterator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.ArrayList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.logging.Level;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.w3c.dom.Element;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.w3c.dom.Document;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>IDP</code> single sign on service handler handles browser artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class FSSSOBrowserArtifactProfileHandler extends FSSSOAndFedHandler {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Element samlRequestElement = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private SOAPMessage soapMsg = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>SOAP</code> message.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param msg <code>SOAPMessage</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setSOAPMessage(SOAPMessage msg) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster soapMsg = msg;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>SAML</code> request element.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param root <code>SAML</code> request element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setSAMLRequestElement(Element root) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSBrowserArtifactConsumerHandler.setSAMLRequestElement: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequestElement = root;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected FSSSOBrowserArtifactProfileHandler() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest authentication request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spDescriptor <code>SP</code>'s provider descriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spConfig <code>SP</code>'s extended meta config
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityId <code>SP</code>'s entity id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState where to go after single sign on is done
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public FSSSOBrowserArtifactProfileHandler(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAuthnRequest authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPDescriptorType spDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster BaseConfigType spConfig,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster super(request, response, authnRequest, spDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfig, spEntityId, relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlRequest <code>Request</code> object that contains artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public FSSSOBrowserArtifactProfileHandler(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Request samlRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.request = request;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.response = response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //this.samlRequest = samlRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes authentication request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest authentication request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param bPostAuthn <code>true</code> indicates it's post authentication;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>false</code> indicates it's pre authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper @Override
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void processAuthnRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAuthnRequest authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean bPostAuthn)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.processAuthnRequest: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (bPostAuthn){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (processPostAuthnSSO(authnRequest)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "successful");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.warning(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("AuthnRequestProcessingFailed")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.AUTHN_REQUEST_PROCESSING_FAILED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sendSAMLArtifacts(null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean authnRequestSigned =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDescriptor.isAuthnRequestsSigned();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: ProviderID : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + spEntityId
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequestSigned : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + authnRequestSigned);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSServiceUtils.isSigningOn()){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (authnRequestSigned){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!verifyRequestSignature(authnRequest)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthnRequest Signature Verification Failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "signatureVerificationFailed") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.SIGNATURE_VERIFICATION_FAILED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sendSAMLArtifacts(null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthnRequest Signature Verified");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (processPreAuthnSSO(authnRequest)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " successful");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.warning(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("AuthnRequestProcessingFailed")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.AUTHN_REQUEST_PROCESSING_FAILED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sendSAMLArtifacts(null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception e){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: Exception Occured: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sendSAMLArtifacts(null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes request with artifacts.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlRequest <code>FSSAMLRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>FSResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper @Override
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public FSResponse processSAMLRequest(FSSAMLRequest samlRequest) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.processSAMLRequest: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createSAMLResponse(samlRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception e){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processSAMLRequest: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private FSResponse createSAMLResponse(FSSAMLRequest samlRequest)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws FSException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSResponse retResponse = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String respID= FSUtils.generateID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo= samlRequest.getRequestID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List contents = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String message = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int length;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Status status;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper String remoteAddr = ClientUtils.getClientIPAddress(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String respPrefix =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int reqType = samlRequest.getContentType();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (reqType == Request.NOT_SUPPORTED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Found element in the request which are not supported");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("unsupportedElement");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Responder"),message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException se ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Fatal error, cannot create status or response: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAssertionManager am = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster am = FSAssertionManager.getInstance(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(FSException se ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Cannot instantiate "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "FSAssertionManager");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = se.getMessage();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Responder"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID,inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException sse ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Fatal error, cannot create status or response: ", sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List artifacts = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertions = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (reqType == Request.ASSERTION_ARTIFACT) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifacts = samlRequest.getAssertionArtifact();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster length = artifacts.size();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // ensure that all the artifacts have the same sourceID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sourceID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String providerID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact art = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (int j = 0; j < length; j++) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster art =(AssertionArtifact)artifacts.get(j);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (sourceID != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!sourceID.equals(art.getSourceID())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Artifacts not from "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "the same source");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("mismatchSourceID");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Need a second level status for the federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * does not exist.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IFSConstants.FEDERATION_NOT_EXISTS_STATUS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null)),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new FSResponse(respID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster inResponseTo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException ex ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix ,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CREATE_SAML_RESPONSE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { //sourceids are equal
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster continue;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {// sourceID == null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sourceID = art.getSourceID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } // while loop to go through artifacts to check for sourceID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (art != null){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster providerID = am.getDestIdForArtifact(art);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(FSException ex){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: FSException Occured while "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "retrieving sp's providerID for the artifact: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster providerID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (providerID == null){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "artifact received does not correspond to any SP");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("invalidSource");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Need a second level status for the federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * does not exist.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * First, let's check we haven't recorded a status
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * beforehand (by another call) related to this
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * artifact. If so, use it.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Status sorig = am.getErrorStatus( art );
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ( sorig != null ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = sorig;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IFSConstants.FEDERATION_NOT_EXISTS_STATUS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null)),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID,inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException sse ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //return error response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!metaManager.isTrustedProvider(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, hostedEntityId,providerID))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOAndFedHandler.processAuthnRequest: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "RemoteProvider is not trusted");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AuthnRequestProcessingFailed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDescriptor = metaManager.getSPDescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, providerID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spEntityId = providerID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteAddr = providerID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception ae){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "FSAllianceManagementException "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Occured while getting" , ae);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = ae.getMessage();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID,inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException sse ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Verify signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSServiceUtils.isSigningOn()){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!verifySAMLRequestSignature(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequestElement, soapMsg))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "SAMLRequest signature verification failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "signatureVerificationFailed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException sse ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + sse.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtProfileHandler.createSAMLResp:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SAMLRequest signature verified");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //end signature verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: No artifact found in samlRequest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("missingArtifact");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID,inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException sse ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (int i = 0; i < length; i++) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact artifact =(AssertionArtifact)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifacts.get(i);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = am.getAssertion(artifact, spEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(FSException e ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.createSAML"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Response:could not find matching assertion:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = e.getMessage();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID,inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException sse ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertion != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertions.add(i,assertion);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int assertionSize = assertions.size();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: found " + assertionSize + "assertions.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check that the target restriction condition
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // inside the assertion has the calling host's address in it.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (int i = 0; i < assertionSize; i++) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assn = (Assertion)assertions.get(i);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions conds = assn.getConditions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set trcs = conds.getAudienceRestrictionCondition();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: checking to see if assertions"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " are for host:" + remoteAddr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (trcs != null && !trcs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator trcsIterator = trcs.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (trcsIterator.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!((AudienceRestrictionCondition)trcsIterator.next())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .containsAudience(remoteAddr))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: removing TRC not"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "meant for this host");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertions.remove(assn);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionSize = assertions.size();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertionSize == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Matching Assertions(s) not "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "created for this host");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("mismatchDest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new Status(new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, contents);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException se ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (reqType == Request.ASSERTION_ARTIFACT) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertions.size() == artifacts.size()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Matching Assertion found");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, assertions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException se ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception e ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.FINER,LogUtil.CREATE_SAML_RESPONSE, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("unequalMatch");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, assertions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException se ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // build response for all the other type of request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = new Status(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse = new FSResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respID, inResponseTo, status, assertions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch( SAMLException se ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINER)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseID") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getResponseID() + "," +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.getInResponseTo()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return retResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Generates artifact and sends it to <code>SP</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>true</code> always.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper @Override
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean doSingleSignOn(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object ssoToken,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier opaqueHandle,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier idpOpaqueHandle
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.doSingleSignOn: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.ssoToken = ssoToken;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List artList = createSAMLAssertionArtifact(ssoToken,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster inResponseTo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster opaqueHandle,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpOpaqueHandle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sendSAMLArtifacts(artList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates assertion and assertion artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected List createSAMLAssertionArtifact(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object ssoToken,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier userHandle,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier idpHandle
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLAssertionArtifact: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List artifactList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAssertionManager am =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAssertionManager.getInstance(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact artifact = am.createFSAssertionArtifact(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionManager.getProvider().getSessionID(ssoToken),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userHandle,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpHandle,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster inResponseTo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("AssertionArtifact id = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifact.toString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String artid = artifact.getAssertionArtifact();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifactList.add(artid);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return artifactList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(FSException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLAssertionArtifact(0): ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(SAMLException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLAssertionArtifact(1): ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLAssertionArtifact(2): ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private void sendSAMLArtifacts(List artis) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.sendSAMLArtifacts: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (artis == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artis = createFaultSAMLArtifact();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String targetURL = FSServiceUtils.getAssertionConsumerServiceURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDescriptor, authnRequest.getAssertionConsumerServiceID());
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper StringBuilder sb = new StringBuilder(1000);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (artis == null || artis.isEmpty()){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "sendSAMLArtifacts: Sending null artifact");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sb.append(IFSConstants.ARTIFACT_NAME_DEFAULT)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("=")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("&");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = artis.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while(iter.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String art = URLEncDec.encode((String)iter.next());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "sendSAMLArtifacts: " + art);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sb.append(IFSConstants.ARTIFACT_NAME_DEFAULT)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("=")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append(art)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("&");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper StringBuilder tmp = new StringBuilder(1000);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (targetURL.indexOf('?') == -1){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster tmp.append(targetURL).append("?");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster tmp.append(targetURL).append("&");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster tmp.append(sb.toString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayURL = authnRequest.getRelayState();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayURL != null){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster tmp.append(IFSConstants.LRURL)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("=")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append(URLEncDec.encode(relayURL));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String redirecto = tmp.toString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setContentType("text/html");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setHeader("Location", redirecto);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "sendSAMLArtifacts: Sending artifacts to: " + redirecto);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { redirecto };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.REDIRECT_TO, data, ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.sendRedirect(redirecto);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception ex){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "sendSAMLArtifacts: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Generates a valid SAML artifact, in response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to a single sign on request for a non federated user.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private List createFaultSAMLArtifact() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler. In createFaultSAMLArtifacts");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create assertion id and artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String handle = SAMLUtils.generateAssertionHandle();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (handle == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "create FaultSAMLArtifacts: couldn't generate assertion " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sourceSuccinctID = FSUtils.generateSourceID(hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact art = new FSAssertionArtifact(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.stringToByteArray(sourceSuccinctID),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handle.getBytes(IFSConstants.SOURCEID_ENCODING));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List artis = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artis.add(art.getAssertionArtifact());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAssertionManager am =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAssertionManager.getInstance( metaAlias );
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster am.setErrStatus( art, noFedStatus );
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return artis;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception e) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSBrowserArtifactProfileHandler.createFaultSAMLArtifacts: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean verifySAMLRequestSignature(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element samlRequestElement,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPMessage msg
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifySAMLRequestSignature: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDescriptor, spEntityId, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (cert == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifySAMLRequestSignature: couldn't obtain "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this site's cert.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAMLResponderException(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString(IFSConstants.NO_CERT));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignatureManager manager = XMLSignatureManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = (Document)FSServiceUtils.createSOAPDOM(msg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return manager.verifyXMLSignature(doc, cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception e){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifySAMLRequestSignature: Exception occured while "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifying IDP's signature:" , e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}