FSSSOBrowserArtifactProfileHandler.java revision 4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * The contents of this file are subject to the terms
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * of the Common Development and Distribution License
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * (the License). You may not use this file except in
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * compliance with the License.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * You can obtain a copy of the License at
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * https://opensso.dev.java.net/public/CDDLv1.0.html or
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * See the License for the specific language governing
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * permission and limitations under the License.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * When distributing Covered Code, include this CDDL
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Header Notice in each file and include the License file
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * If applicable, add the following below the CDDL Header,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * with the fields enclosed by brackets [] replaced by
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * your own identifying information:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * "Portions Copyrighted [year] [name of copyright owner]"
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * $Id: FSSSOBrowserArtifactProfileHandler.java,v 1.6 2008/12/19 06:50:46 exu Exp $
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Portions Copyrighted 2013 ForgeRock, Inc.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkpackage com.sun.identity.federation.services.fednsso;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.services.FSAssertionManager;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.services.util.FSServiceUtils;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSResponse;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSSAMLRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSAuthnRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.message.FSAssertionArtifact;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.FSUtils;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.FSException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.IFSConstants;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.common.LogUtil;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.plugin.session.SessionException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.plugin.session.SessionManager;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.Assertion;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.NameIdentifier;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.Conditions;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.assertion.AudienceRestrictionCondition;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.protocol.StatusCode;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.protocol.AssertionArtifact;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.common.SAMLException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkimport com.sun.identity.saml.common.SAMLResponderException;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * <code>IDP</code> single sign on service handler handles browser artifact
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkpublic class FSSSOBrowserArtifactProfileHandler extends FSSSOAndFedHandler {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Sets <code>SOAP</code> message.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param msg <code>SOAPMessage</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Sets <code>SAML</code> request element.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param root <code>SAML</code> request element
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public void setSAMLRequestElement(Element root) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSBrowserArtifactConsumerHandler.setSAMLRequestElement: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk protected FSSSOBrowserArtifactProfileHandler() {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Constructor.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param request <code>HttpServletRequest</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param response <code>HttpServletResponse</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param authnRequest authentication request
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param spDescriptor <code>SP</code>'s provider descriptor
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param spConfig <code>SP</code>'s extended meta config
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param spEntityId <code>SP</code>'s entity id
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param relayState where to go after single sign on is done
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk super(request, response, authnRequest, spDescriptor,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Constructor.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param request <code>HttpServletRequest</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param response <code>HttpServletResponse</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param samlRequest <code>Request</code> object that contains artifact
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk //this.samlRequest = samlRequest;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Processes authentication request.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param authnRequest authentication request
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param bPostAuthn <code>true</code> indicates it's post authentication;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * <code>false</code> indicates it's pre authentication.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler.processAuthnRequest: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing"
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "successful");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "failed");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("AuthnRequestProcessingFailed")
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: ProviderID : "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + " AuthnRequestSigned : "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "AuthnRequest Signature Verification Failed");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "signatureVerificationFailed") };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "AuthnRequest Signature Verified");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + " successful");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: AuthnRequest Processing "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "failed");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("AuthnRequestProcessingFailed")
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processAuthnRequest: Exception Occured: ", e);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Processes request with artifacts.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @param samlRequest <code>FSSAMLRequest</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * @return <code>FSResponse</code> object
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk public FSResponse processSAMLRequest(FSSAMLRequest samlRequest) {
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler.processSAMLRequest: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "processSAMLRequest: Fatal error, "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "cannot create status or response: ", e);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk private FSResponse createSAMLResponse(FSSAMLRequest samlRequest)
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String inResponseTo= samlRequest.getRequestID();
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String remoteAddr = ClientUtils.getClientIPAddress(request);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "Found element in the request which are not supported");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk message = FSUtils.bundle.getString("unsupportedElement");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new StatusCode("samlp:Responder"),message, null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.setMinorVersion(samlRequest.getMinorVersion());
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "Fatal error, cannot create status or response: ", se);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix , retResponse.toString() };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("inResponseTo") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: Cannot instantiate "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "FSAssertionManager");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk new StatusCode("samlp:Responder"), message, null);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk retResponse.setMinorVersion(samlRequest.getMinorVersion());
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "Fatal error, cannot create status or response: ", sse);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk String[] data = { respPrefix , retResponse.toString() };
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("inResponseTo") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk // ensure that all the artifacts have the same sourceID
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: Artifacts not from "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "the same source");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk message = FSUtils.bundle.getString("mismatchSourceID");
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * Need a second level status for the federation
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk * does not exist.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk "FSSSOBrowserArtifactProfileHandler."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk + "createSAMLResponse: Fatal error, "
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk FSUtils.bundle.getString("inResponseTo") + "=" +
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else { //sourceids are equal
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk } else {// sourceID == null
new StatusCode(
null)),
null);
return retResponse;
return null;
null);
return retResponse;
null);
return retResponse;
return null;
null);
return retResponse;
return retResponse;
return null;
} catch(FSException e ) {
return retResponse;
status =
return retResponse;
return null;
} catch(Exception e ) {
return null;
return retResponse;
return retResponse;
return retResponse;
protected boolean doSingleSignOn(
return artifactList;
return null;
return null;
return null;
return null;
return artis;
} catch(Exception e) {
return null;
protected boolean verifySAMLRequestSignature(
throw new SAMLResponderException(
} catch(Exception e){