FSSSOBrowserArtifactProfileHandler.java revision 4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk/**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk *
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk *
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * The contents of this file are subject to the terms
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * of the Common Development and Distribution License
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * (the License). You may not use this file except in
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * compliance with the License.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk *
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * You can obtain a copy of the License at
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * https://opensso.dev.java.net/public/CDDLv1.0.html or
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * opensso/legal/CDDLv1.0.txt
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * See the License for the specific language governing
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * permission and limitations under the License.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk *
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * When distributing Covered Code, include this CDDL
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Header Notice in each file and include the License file
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * at opensso/legal/CDDLv1.0.txt.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * If applicable, add the following below the CDDL Header,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * with the fields enclosed by brackets [] replaced by
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * your own identifying information:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * "Portions Copyrighted [year] [name of copyright owner]"
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk *
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * $Id: FSSSOBrowserArtifactProfileHandler.java,v 1.6 2008/12/19 06:50:46 exu Exp $
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk *
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk/*
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Portions Copyrighted 2013 ForgeRock, Inc.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkpackage com.sun.identity.federation.services.fednsso;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.services.FSAssertionManager;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.services.util.FSServiceUtils;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSResponse;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSSAMLRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSAuthnRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSAssertionArtifact;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.FSUtils;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.FSException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.IFSConstants;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.LogUtil;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.key.KeyUtil;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.plugin.session.SessionException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.plugin.session.SessionManager;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.Assertion;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.NameIdentifier;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.Conditions;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.AudienceRestrictionCondition;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.protocol.StatusCode;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.protocol.Request;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.protocol.Status;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.protocol.AssertionArtifact;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.common.SAMLException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.common.SAMLResponderException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.common.SAMLUtils;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.shared.encode.URLEncDec;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport org.forgerock.openam.utils.ClientUtils;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport javax.servlet.http.HttpServletRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport javax.servlet.http.HttpServletResponse;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport javax.xml.soap.SOAPMessage;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport java.security.cert.X509Certificate;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport java.util.Set;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport java.util.Iterator;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport java.util.List;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport java.util.ArrayList;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport java.util.logging.Level;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport org.w3c.dom.Element;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport org.w3c.dom.Document;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk/**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * <code>IDP</code> single sign on service handler handles browser artifact
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * profile.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkpublic class FSSSOBrowserArtifactProfileHandler extends FSSSOAndFedHandler {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk private Element samlRequestElement = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk private SOAPMessage soapMsg = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Sets <code>SOAP</code> message.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param msg <code>SOAPMessage</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public void setSOAPMessage(SOAPMessage msg) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk soapMsg = msg;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Sets <code>SAML</code> request element.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param root <code>SAML</code> request element
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public void setSAMLRequestElement(Element root) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSBrowserArtifactConsumerHandler.setSAMLRequestElement: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk samlRequestElement = root;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk protected FSSSOBrowserArtifactProfileHandler() {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Constructor.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param request <code>HttpServletRequest</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param response <code>HttpServletResponse</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param authnRequest authentication request
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param spDescriptor <code>SP</code>'s provider descriptor
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param spConfig <code>SP</code>'s extended meta config
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param spEntityId <code>SP</code>'s entity id
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param relayState where to go after single sign on is done
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public FSSSOBrowserArtifactProfileHandler(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk HttpServletRequest request,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk HttpServletResponse response,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSAuthnRequest authnRequest,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk SPDescriptorType spDescriptor,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk BaseConfigType spConfig,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String spEntityId,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String relayState)
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk super(request, response, authnRequest, spDescriptor,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk spConfig, spEntityId, relayState);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Constructor.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param request <code>HttpServletRequest</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param response <code>HttpServletResponse</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param samlRequest <code>Request</code> object that contains artifact
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public FSSSOBrowserArtifactProfileHandler(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk HttpServletRequest request,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk HttpServletResponse response,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk Request samlRequest
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk )
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk this.request = request;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk this.response = response;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk //this.samlRequest = samlRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Processes authentication request.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param authnRequest authentication request
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param bPostAuthn <code>true</code> indicates it's post authentication;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * <code>false</code> indicates it's pre authentication.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk @Override
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public void processAuthnRequest(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSAuthnRequest authnRequest,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk boolean bPostAuthn)
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler.processAuthnRequest: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk try {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (bPostAuthn){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (processPostAuthnSSO(authnRequest)){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing"
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "successful");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.warningEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.warning(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "failed");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("AuthnRequestProcessingFailed")
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.error(Level.INFO,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.AUTHN_REQUEST_PROCESSING_FAILED,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk data,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk ssoToken);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk sendSAMLArtifacts(null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk boolean authnRequestSigned =
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk spDescriptor.isAuthnRequestsSigned();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: ProviderID : "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + spEntityId
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + " AuthnRequestSigned : "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + authnRequestSigned);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSServiceUtils.isSigningOn()){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (authnRequestSigned){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (!verifyRequestSignature(authnRequest)){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "AuthnRequest Signature Verification Failed");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data =
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk { FSUtils.bundle.getString(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "signatureVerificationFailed") };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.error(Level.INFO,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.SIGNATURE_VERIFICATION_FAILED,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk data,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk ssoToken);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk sendSAMLArtifacts(null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk return;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "AuthnRequest Signature Verified");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (processPreAuthnSSO(authnRequest)){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + " successful");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.warningEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.warning(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "failed");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("AuthnRequestProcessingFailed")
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.error(Level.INFO,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.AUTHN_REQUEST_PROCESSING_FAILED,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk data,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk ssoToken);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk sendSAMLArtifacts(null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } catch(Exception e){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: Exception Occured: ", e);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk sendSAMLArtifacts(null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Processes request with artifacts.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param samlRequest <code>FSSAMLRequest</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @return <code>FSResponse</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk @Override
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public FSResponse processSAMLRequest(FSSAMLRequest samlRequest) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler.processSAMLRequest: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk try {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk return createSAMLResponse(samlRequest);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } catch(Exception e){
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processSAMLRequest: Fatal error, "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "cannot create status or response: ", e);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk return null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk private FSResponse createSAMLResponse(FSSAMLRequest samlRequest)
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk throws FSException
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSResponse retResponse = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String respID= FSUtils.generateID();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String inResponseTo= samlRequest.getRequestID();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk List contents = new ArrayList();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String message = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk int length;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk Status status;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String remoteAddr = ClientUtils.getClientIPAddress(request);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String respPrefix =
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk int reqType = samlRequest.getContentType();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (reqType == Request.NOT_SUPPORTED) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "Found element in the request which are not supported");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk message = FSUtils.bundle.getString("unsupportedElement");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk try {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk status = new Status(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new StatusCode("samlp:Responder"),message, null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse = new FSResponse(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk respID, inResponseTo, status, contents);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.setMinorVersion(samlRequest.getMinorVersion());
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } catch( SAMLException se ) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "Fatal error, cannot create status or response: ", se);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (LogUtil.isAccessLoggable(Level.FINER)) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix , retResponse.toString() };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("responseID") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.getResponseID() + "," +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("inResponseTo") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.getInResponseTo()};
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk return retResponse;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSAssertionManager am = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk try {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk am = FSAssertionManager.getInstance(metaAlias);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } catch(FSException se ) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: Cannot instantiate "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "FSAssertionManager");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk message = se.getMessage();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk try {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk status = new Status(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new StatusCode("samlp:Responder"), message, null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse = new FSResponse(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk respID,inResponseTo, status, contents);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.setMinorVersion(samlRequest.getMinorVersion());
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } catch( SAMLException sse ) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "Fatal error, cannot create status or response: ", sse);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (LogUtil.isAccessLoggable(Level.FINER)) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix , retResponse.toString() };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("responseID") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.getResponseID() + "," +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("inResponseTo") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.getInResponseTo()};
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk return retResponse;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk List artifacts = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk List assertions = new ArrayList();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (reqType == Request.ASSERTION_ARTIFACT) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk artifacts = samlRequest.getAssertionArtifact();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk length = artifacts.size();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk // ensure that all the artifacts have the same sourceID
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String sourceID = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String providerID = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk AssertionArtifact art = null;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk for (int j = 0; j < length; j++) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk art =(AssertionArtifact)artifacts.get(j);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (sourceID != null) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (!sourceID.equals(art.getSourceID())) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (FSUtils.debug.messageEnabled()) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: Artifacts not from "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "the same source");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk message = FSUtils.bundle.getString("mismatchSourceID");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk try {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk /**
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Need a second level status for the federation
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * does not exist.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk */
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk status = new Status(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new StatusCode("samlp:Requester",
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new StatusCode(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk IFSConstants.FEDERATION_NOT_EXISTS_STATUS,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk null)),
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk message,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse =
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new FSResponse(respID,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk inResponseTo,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk status,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk contents);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.setMinorVersion(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk samlRequest.getMinorVersion());
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } catch( SAMLException ex ) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: Fatal error, "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "cannot create status or response: ", ex);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk if (LogUtil.isAccessLoggable(Level.FINER)) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix ,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.toString() };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.FINER,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.CREATE_SAML_RESPONSE,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("responseID") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.getResponseID() + "," +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("inResponseTo") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.getInResponseTo()};
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk return retResponse;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else { //sourceids are equal
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk continue;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {// sourceID == null
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk sourceID = art.getSourceID();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk }
} // while loop to go through artifacts to check for sourceID
if (art != null){
try {
providerID = am.getDestIdForArtifact(art);
} catch(FSException ex){
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: FSException Occured while "
+ "retrieving sp's providerID for the artifact: ", ex);
providerID = null;
}
if (providerID == null){
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: "
+ "artifact received does not correspond to any SP");
message = FSUtils.bundle.getString("invalidSource");
try {
/**
* Need a second level status for the federation
* does not exist.
*/
/**
* First, let's check we haven't recorded a status
* beforehand (by another call) related to this
* artifact. If so, use it.
*/
Status sorig = am.getErrorStatus( art );
if ( sorig != null ) {
status = sorig;
} else {
status = new Status(
new StatusCode("samlp:Requester",
new StatusCode(
IFSConstants.FEDERATION_NOT_EXISTS_STATUS,
null)),
message,
null);
}
retResponse = new FSResponse(
respID,inResponseTo, status, contents);
retResponse.setMinorVersion(
samlRequest.getMinorVersion());
return retResponse;
} catch( SAMLException sse ) {
FSUtils.debug.error(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
return null;
}
//return error response
} else {
try {
if (!metaManager.isTrustedProvider(
realm, hostedEntityId,providerID))
{
FSUtils.debug.error(
"FSSSOAndFedHandler.processAuthnRequest: "
+ "RemoteProvider is not trusted");
message = FSUtils.bundle.getString(
"AuthnRequestProcessingFailed");
status = new Status(
new StatusCode("samlp:Requester"),
message,
null);
retResponse = new FSResponse(
respID, inResponseTo, status, contents);
retResponse.setMinorVersion(
samlRequest.getMinorVersion());
return retResponse;
}
spDescriptor = metaManager.getSPDescriptor(
realm, providerID);
spEntityId = providerID;
remoteAddr = providerID;
} catch(Exception ae){
FSUtils.debug.error(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: "
+ "FSAllianceManagementException "
+ "Occured while getting" , ae);
message = ae.getMessage();
try {
status = new Status(
new StatusCode("samlp:Requester"),
message,
null);
retResponse = new FSResponse(
respID,inResponseTo, status, contents);
retResponse.setMinorVersion(
samlRequest.getMinorVersion());
return retResponse;
} catch( SAMLException sse ) {
FSUtils.debug.error(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
return null;
}
}
}
//Verify signature
if (FSServiceUtils.isSigningOn()){
if (!verifySAMLRequestSignature(
samlRequestElement, soapMsg))
{
FSUtils.debug.error(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: "
+ "SAMLRequest signature verification failed");
message = FSUtils.bundle.getString(
"signatureVerificationFailed");
try {
status = new Status(
new StatusCode("samlp:Requester"),
message,
null);
retResponse = new FSResponse(
respID, inResponseTo, status, contents);
retResponse.setMinorVersion(
samlRequest.getMinorVersion());
return retResponse;
} catch( SAMLException sse ) {
FSUtils.debug.error(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: "
+ sse.getMessage());
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message(
"FSSSOBrowserArtProfileHandler.createSAMLResp:"
+ " SAMLRequest signature verified");
}
}
}
//end signature verification
} else {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: No artifact found in samlRequest");
message = FSUtils.bundle.getString("missingArtifact");
try {
status = new Status(
new StatusCode("samlp:Requester"), message, null);
retResponse = new FSResponse(
respID,inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
return retResponse;
} catch( SAMLException sse ) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
return null;
}
}
for (int i = 0; i < length; i++) {
AssertionArtifact artifact =(AssertionArtifact)
artifacts.get(i);
Assertion assertion = null;
try {
assertion = am.getAssertion(artifact, spEntityId);
} catch(FSException e ) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message(
"FSSSOBrowserArtifactProfileHandler.createSAML"
+ "Response:could not find matching assertion:", e);
}
message = e.getMessage();
try {
status = new Status(
new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(
respID,inResponseTo, status, contents);
retResponse.setMinorVersion(
samlRequest.getMinorVersion());
} catch( SAMLException sse ) {
FSUtils.debug.error(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse:Fatal error, "
+ "cannot create status or response: ", sse);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix , retResponse.toString() };
LogUtil.access(
Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
} else {
String[] data = { respPrefix,
FSUtils.bundle.getString("responseID") + "=" +
retResponse.getResponseID() + "," +
FSUtils.bundle.getString("inResponseTo") + "=" +
retResponse.getInResponseTo()};
LogUtil.access(
Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
}
return retResponse;
}
if (assertion != null) {
assertions.add(i,assertion);
}
}
}
int assertionSize = assertions.size();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: found " + assertionSize + "assertions.");
}
// check that the target restriction condition
// inside the assertion has the calling host's address in it.
for (int i = 0; i < assertionSize; i++) {
Assertion assn = (Assertion)assertions.get(i);
Conditions conds = assn.getConditions();
Set trcs = conds.getAudienceRestrictionCondition();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: checking to see if assertions"
+ " are for host:" + remoteAddr);
}
if (trcs != null && !trcs.isEmpty()) {
Iterator trcsIterator = trcs.iterator();
while (trcsIterator.hasNext()) {
if (!((AudienceRestrictionCondition)trcsIterator.next())
.containsAudience(remoteAddr))
{
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message(
"FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: removing TRC not"
+ "meant for this host");
}
assertions.remove(assn);
}
}
}
}
assertionSize = assertions.size();
if (assertionSize == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Matching Assertions(s) not "
+ "created for this host");
}
message = FSUtils.bundle.getString("mismatchDest");
try {
status =
new Status(new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(
respID, inResponseTo, status, contents);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch( SAMLException se ) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix , retResponse.toString() };
LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
} else {
String[] data = { respPrefix,
FSUtils.bundle.getString("responseID") + "=" +
retResponse.getResponseID() + "," +
FSUtils.bundle.getString("inResponseTo") + "=" +
retResponse.getInResponseTo()};
LogUtil.access(
Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
}
return retResponse;
}
if (reqType == Request.ASSERTION_ARTIFACT) {
if (assertions.size() == artifacts.size()) {
message = null;
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Matching Assertion found");
}
try {
status = new Status(
new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(
respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch( SAMLException se ) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
return null;
} catch(Exception e ) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", e);
return null;
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix , retResponse.toString() };
LogUtil.access(
Level.FINER,LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix,
FSUtils.bundle.getString("responseID") + "=" +
retResponse.getResponseID() + "," +
FSUtils.bundle.getString("inResponseTo") + "=" +
retResponse.getInResponseTo()};
LogUtil.access(
Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
}
return retResponse;
} else {
message = FSUtils.bundle.getString("unequalMatch");
try {
status = new Status(
new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(
respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch( SAMLException se ) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix , retResponse.toString() };
LogUtil.access(
Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
} else {
String[] data = { respPrefix,
FSUtils.bundle.getString("responseID") + "=" +
retResponse.getResponseID() + "," +
FSUtils.bundle.getString("inResponseTo") + "=" +
retResponse.getInResponseTo()};
LogUtil.access(
Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
}
return retResponse;
}
} else { // build response for all the other type of request
try {
message = null;
status = new Status(
new StatusCode("samlp:Success"), message, null);
retResponse = new FSResponse(
respID, inResponseTo, status, assertions);
retResponse.setMinorVersion(samlRequest.getMinorVersion());
} catch( SAMLException se ) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLResponse: Fatal error, "
+ "cannot create status or response:", se);
}
}
if (LogUtil.isAccessLoggable(Level.FINER)) {
String[] data = { respPrefix , retResponse.toString() };
LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE, data);
} else {
String[] data = { respPrefix,
FSUtils.bundle.getString("responseID") + "=" +
retResponse.getResponseID() + "," +
FSUtils.bundle.getString("inResponseTo") + "=" +
retResponse.getInResponseTo()};
LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
}
return retResponse;
}
/**
* Generates artifact and sends it to <code>SP</code>.
* @return <code>true</code> always.
*/
@Override
protected boolean doSingleSignOn(
Object ssoToken,
String inResponseTo,
NameIdentifier opaqueHandle,
NameIdentifier idpOpaqueHandle
)
{
FSUtils.debug.message(
"FSSSOBrowserArtifactProfileHandler.doSingleSignOn: Called");
this.ssoToken = ssoToken;
List artList = createSAMLAssertionArtifact(ssoToken,
inResponseTo,
opaqueHandle,
idpOpaqueHandle);
sendSAMLArtifacts(artList);
return true;
}
/**
* Creates assertion and assertion artifact.
*/
protected List createSAMLAssertionArtifact(
Object ssoToken,
String inResponseTo,
NameIdentifier userHandle,
NameIdentifier idpHandle
)
{
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLAssertionArtifact: Called");
}
List artifactList = new ArrayList();
try {
FSAssertionManager am =
FSAssertionManager.getInstance(metaAlias);
AssertionArtifact artifact = am.createFSAssertionArtifact(
SessionManager.getProvider().getSessionID(ssoToken),
realm,
spEntityId,
userHandle,
idpHandle,
inResponseTo,
authnRequest.getMinorVersion());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("AssertionArtifact id = " +
artifact.toString());
}
String artid = artifact.getAssertionArtifact();
artifactList.add(artid);
return artifactList;
} catch(FSException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLAssertionArtifact(0): ", se);
return null;
} catch(SAMLException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLAssertionArtifact(1): ", se);
return null;
} catch (SessionException se) {
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "createSAMLAssertionArtifact(2): ", se);
return null;
}
}
private void sendSAMLArtifacts(List artis) {
FSUtils.debug.message(
"FSSSOBrowserArtifactProfileHandler.sendSAMLArtifacts: Called");
if (artis == null) {
artis = createFaultSAMLArtifact();
}
try {
String targetURL = FSServiceUtils.getAssertionConsumerServiceURL(
spDescriptor, authnRequest.getAssertionConsumerServiceID());
StringBuilder sb = new StringBuilder(1000);
if (artis == null || artis.isEmpty()){
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "sendSAMLArtifacts: Sending null artifact");
}
sb.append(IFSConstants.ARTIFACT_NAME_DEFAULT)
.append("=")
.append("&");
} else {
Iterator iter = artis.iterator();
while(iter.hasNext()) {
String art = URLEncDec.encode((String)iter.next());
if(FSUtils.debug.messageEnabled()) {
FSUtils.debug.message(
"FSSSOBrowserArtifactProfileHandler."
+ "sendSAMLArtifacts: " + art);
}
sb.append(IFSConstants.ARTIFACT_NAME_DEFAULT)
.append("=")
.append(art)
.append("&");
}
}
StringBuilder tmp = new StringBuilder(1000);
if (targetURL.indexOf('?') == -1){
tmp.append(targetURL).append("?");
} else {
tmp.append(targetURL).append("&");
}
tmp.append(sb.toString());
String relayURL = authnRequest.getRelayState();
if (relayURL != null){
tmp.append(IFSConstants.LRURL)
.append("=")
.append(URLEncDec.encode(relayURL));
}
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
String redirecto = tmp.toString();
response.setContentType("text/html");
response.setHeader("Location", redirecto);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "sendSAMLArtifacts: Sending artifacts to: " + redirecto);
}
String[] data = { redirecto };
LogUtil.access(Level.FINER,LogUtil.REDIRECT_TO, data, ssoToken);
response.sendRedirect(redirecto);
} catch(Exception ex){
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "sendSAMLArtifacts: ", ex);
}
}
/**
* Generates a valid SAML artifact, in response
* to a single sign on request for a non federated user.
*/
private List createFaultSAMLArtifact() {
FSUtils.debug.message(
"FSSSOBrowserArtifactProfileHandler. In createFaultSAMLArtifacts");
// create assertion id and artifact
String handle = SAMLUtils.generateAssertionHandle();
if (handle == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." +
"create FaultSAMLArtifacts: couldn't generate assertion " +
"handle.");
}
return null;
}
try {
String sourceSuccinctID = FSUtils.generateSourceID(hostedEntityId);
AssertionArtifact art = new FSAssertionArtifact(
SAMLUtils.stringToByteArray(sourceSuccinctID),
handle.getBytes(IFSConstants.SOURCEID_ENCODING));
List artis = new ArrayList();
artis.add(art.getAssertionArtifact());
FSAssertionManager am =
FSAssertionManager.getInstance( metaAlias );
am.setErrStatus( art, noFedStatus );
return artis;
} catch(Exception e) {
FSUtils.debug.error(
"FSBrowserArtifactProfileHandler.createFaultSAMLArtifacts: ", e);
return null;
}
}
protected boolean verifySAMLRequestSignature(
Element samlRequestElement,
SOAPMessage msg
)
{
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "verifySAMLRequestSignature: Called");
}
try {
X509Certificate cert = KeyUtil.getVerificationCert(
spDescriptor, spEntityId, false);
if (cert == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
+ "verifySAMLRequestSignature: couldn't obtain "
+ "this site's cert.");
}
throw new SAMLResponderException(
FSUtils.bundle.getString(IFSConstants.NO_CERT));
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
Document doc = (Document)FSServiceUtils.createSOAPDOM(msg);
return manager.verifyXMLSignature(doc, cert);
} catch(Exception e){
FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
+ "verifySAMLRequestSignature: Exception occured while "
+ "verifying IDP's signature:" , e);
return false;
}
}
}