SAML2Utils.java revision 34f7fc919553f0b520d0008264f1c5af819a3861
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* Portions Copyrighted 2010-2014 ForgeRock AS.
* Portions Copyrighted 2014 Nomura Research Institute, Ltd
*/
/**
* The <code>SAML2Utils</code> contains utility methods for SAML 2.0
* implementation.
*/
public class SAML2Utils extends SAML2SDKUtils {
// SAML2MetaManager
private static String server_protocol =
private static String server_host =
private static String server_port =
private static int int_server_port = 0;
private static final char EQUALS = '=';
private static final char SEMI_COLON = ';';
private static final char DOUBLE_QUOTE = '"';
?"8192":SAML2ConfigService.
// Dir server info for CRL entry
private static boolean checkCertStatus = false;
private static boolean checkCAStatus = false;
static {
try {
} catch (SOAPException se) {
"Unable to obtain SOAPConnectionFactory.", se);
}
try {
}
} catch (NumberFormatException nfe) {
}
/*
* Setup the LDAP certificate directory service context for
* use in verification of signing certificates.
*/
if (checkCertStatusStr != null) {
.booleanValue();
if (debug.messageEnabled()) {
+ checkCertStatus);
+ checkCAStatus);
}
} else {
if (debug.messageEnabled()) {
"with old config style.");
}
}
}
static {
try {
} catch (SOAPException se) {
"SAML2Utils: Unable to create SOAP MessageFactory", se);
}
}
static {
try {
new SAML2MetaManager();
} catch (SAML2MetaException sme) {
}
try {
cotManager = new CircleOfTrustManager();
} catch (COTException sme) {
}
// run the scheduler in case of server or Fedlet
if (SystemConfigurationUtil.isServerMode() ||
}
}
/**
* Verifies single sign on <code>Response</code> and returns information
* to SAML2 auth module for further processing. This method is used by
* SAML2 auth module only.
* @param httpRequest HttpServletRequest
* @param httpResponse HttpServletResponse
* @param response Single Sign On <code>Response</code>.
* @param orgName name of the realm or organization the provider is in.
* @param hostEntityId Entity ID of the hosted provider.
* @param profileBinding Profile binding used.
* @return A Map of information extracted from the Response. The keys of
* map are: <code>SAML2Constants.SUBJECT</code>,
* <code>SAML2Constants.POST_ASSERTION</code>,
* <code>SAML2Constants.ASSERTIONS</code>,
* <code>SAML2Constants.SESSION_INDEX</code>,
* <code>SAML2Constants.AUTH_LEVEL</code>,
* <code>SAML2Constants.MAX_SESSION_TIME</code>.
* @throws SAML2Exception if the Response is not valid according to the
* processing rules.
*/
public static Map verifyResponse(
throws SAML2Exception {
if (debug.messageEnabled()) {
}
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// Attempt to read AuthnRequestInfoCopy from SAML2 repository
try {
} catch(SAML2TokenRepositoryException se) {
+ " unable to retrieve from SAML2 repository for inResponseTo: " + inRespToResp);
}
if (reqInfoCopy != null) {
// Get back the AuthnRequestInfo
if (debug.messageEnabled()) {
+ " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
}
} else {
data,
null);
"invalidInResponseToInResponse"));
}
} else {
// !SAML2Utils.isSAML2FailoverEnabled()
data,
null);
"invalidInResponseToInResponse"));
}
}
}
// invoke SP Adapter
}
}
if (debug.messageEnabled()) {
}
data,
null);
"invalidIssuerInResponse"));
} else {
}
}
if (debug.messageEnabled()) {
}
}
data,
null);
//In case of passive authentication the NoPassive response will be sent using two StatusCode nodes:
//the outer StatusCode will be Responder and the inner StatusCode will contain the NoPassive URN
if (secondLevelStatusCode != null
}
}
}
if (saml2MetaManager == null) {
}
boolean needAssertionEncrypted = false;
if (assertionEncryptedAttr != null &&
needAssertionEncrypted = true;
}
// for SSO Post Profile check if assertion needs
if (!needAssertionSigned) {
}
// POST Profile - if Response signing is true then
// assertion signing will not be done at the IDP
if (needAssertionSigned) {
boolean wantPostResponseSigned =
if (debug.messageEnabled()) {
}
if (wantPostResponseSigned) {
if (debug.messageEnabled()) {
}
needAssertionSigned = false;
} else {
// POST Profile - it is sufficient if response is
// signed, not a mandatory condition that assertion
// be also signed.
// Make sure that the certificate is valid
try {
} catch (SAML2MetaException sme) {
}
if (idpSSODescriptor != null) {
needAssertionSigned = false;
}
}
}
}
}
}
data,
null);
throw new SAML2Exception(
}
if (encAssertions != null) {
if (decryptionKey == null) {
}
if (assertions == null) {
assertions = new ArrayList();
}
}
}
if (debug.messageEnabled()) {
}
data,
null);
throw new SAML2Exception(
}
while (assertionIter.hasNext()) {
data,
null);
"invalidIssuerInAssertion"));
}
if (idpEntityId == null) {
} else {
if (debug.messageEnabled()) {
+ "match the Issuer in Response or other "
+ "Assertions in the Response.");
}
data,
null);
throw new SAML2Exception(
}
}
if (needAssertionSigned) {
}
"Assertion is not signed or signature is not valid.");
data,
null);
"invalidSignatureOnAssertion"));
}
}
continue;
}
continue;
}
continue;
}
boolean foundAssertion = false;
foundAssertion = true;
}
try {
foundAssertion = true;
}
} catch(SAML2TokenRepositoryException e) {
if (debug.messageEnabled()) {
}
}
}
if (foundAssertion) {
"use only!");
"usedBearAssertion"));
}
}
} // end of having authnStmt
}
}
return smap;
}
throws SAML2Exception {
boolean hasBearer = false;
if (subjectConfirm == null ||
continue;
}
// since this is bearer SC, all below must be true
if (subjectConfData == null) {
if (debug.messageEnabled()) {
}
data,
null);
"missingSubjectConfirmationData"));
}
if (debug.messageEnabled()) {
}
data,
null);
}
boolean foundMatch = false;
foundMatch = true;
break;
}
}
if (!foundMatch) {
if (debug.messageEnabled()) {
+ "recipient.");
}
data,
null);
}
// in seconds
if (timeskew < 0) {
}
}
if (debug.messageEnabled()) {
}
if (notOnOrAfter == null ||
System.currentTimeMillis())) {
if (debug.messageEnabled()) {
}
data,
null);
"invalidTimeOnSubjectConfirmationData"));
}
System.currentTimeMillis()) {
if (debug.messageEnabled()) {
+ "NotBefore.");
}
data,
null);
"containedNotBefore"));
}
}
if (debug.messageEnabled()) {
+ "different from the one in Response.");
}
data,
null);
"wrongInResponseToInAssertion"));
}
} else {
if (debug.messageEnabled()) {
+ "InResponseTo, but Response does.");
}
data,
null);
"wrongInResponseToInAssertion"));
}
}
hasBearer = true;
break;
}
return retMap;
}
throws SAML2Exception {
if (debug.messageEnabled()) {
}
data,
null);
}
if (restrictions == null) {
if (debug.messageEnabled()) {
}
data,
null);
"missingAudienceRestriction"));
}
boolean found = false;
found = true;
break;
}
}
if (!found) {
if (debug.messageEnabled()) {
}
data,
null);
}
}
throws SAML2Exception {
// use the first AuthnStmt
int authLevel = -1;
}
if (authnRequest != null) {
}
}
}
if (authLevel >= 0) {
}
// SessionNotOnOrAfter
if (sessionNotOnOrAfter != null) {
if (maxSessionTime > 0) {
new Long(maxSessionTime));
}
}
}
if (debug.messageEnabled()) {
+ "assertion.");
}
if (notOnOrAfterTime != null) {
}
data,
null);
return smap;
}
/**
* Retrieves attribute value for a given attribute name from
* <code>SPSSOConfig</code>.
* @param config <code>SPSSOConfigElement</code> instance.
* @param attrName name of the attribute whose value ot be retrived.
* @return value of the attribute; or <code>null</code> if the attribute
* if not configured, or an error occured in the process.
*/
public static String getAttributeValueFromSPSSOConfig(
return null;
}
}
return result;
}
/**Gets List of 'String' assertions from the list of 'Assertion' assertions
* @param assertions A list of Assertions
* @return a String printout of the list of Assertions
*/
if (assertions != null) {
try {
} catch (SAML2Exception e) {
}
}
}
return returnAssertions;
}
/**
* Checks if it is a persistent request or not.
* @param nameId Name ID object
* @return true if it is a persistent request, false if not.
*/
boolean isPersistent = false;
return isPersistent;
}
isPersistent = true;
}
}
if (debug.messageEnabled()) {
}
return isPersistent;
}
/**
* Checks if the federation information for the user exists or not.
* @param userName user id for which account federation needs to be
* returned.
* @param hostEntityID <code>EntityID</code> of the hosted entity.
* @param remoteEntityId <code>EntityID</code> of the remote entity.
* @return true if exists, false otherwise.
*/
boolean exists = false;
return exists;
}
try {
exists = true;
}
} catch (SAML2Exception se) {
if (debug.messageEnabled()) {
}
} catch (Exception e) {
}
if (debug.messageEnabled()) {
}
return exists;
}
/**
* Returns the <code>NameIDInfoKey</code> key value pair that can
* be used for searching the user.
* @param nameID <code>NameID</code> object.
* @param hostEntityID hosted <code>EntityID</code>.
* @param remoteEntityID remote <code>EntityID</code>.
* @param hostEntityRole the role of hosted entity.
* @exception <code>SAML2Exception</code> if any failure.
*/
throws SAML2Exception {
"nullNameID"));
}
} else {
"spNotAffiliationMember"));
}
} else {
remoteEntityID)) {
"spNotAffiliationMember"));
}
}
}
} else {
}
if (debug.messageEnabled()) {
}
return keyMap;
}
/**
* Returns <code>true</code> if <code>Issuer</code> is valid.
*
* @param issuer to be checked <code>Issuer</code> instance.
* @param orgName the name of the realm or organization.
* @param hostEntityId Entity ID of the hosted provider.
* @return <code>true</code> if the <code>Issuer</code> is trusted;
* <code>false</code> otherwise.
*/
public static boolean isSourceSiteValid(
) {
boolean isValid = false;
try {
// Check if entityID is trusted provider
}
}
return isValid;
} catch (Exception e) {
"Exception : ", e);
return false;
}
}
/**
* Returns <code>DataStoreProvider</code> object.
* @return <code>DataStoreProvider</code> configured for the SAML2 plugin.
* @exception SAML2Exception if any failure.
*/
public static DataStoreProvider getDataStoreProvider()
throws SAML2Exception {
try {
} catch (DataStoreProviderException dse) {
"DataStoreProviderException : ", dse);
throw new SAML2Exception(dse);
}
}
/**
* Returns the encoded request message. The SAML Request message must be
* encoded before being transmitted. The Request message is base-64
* encoded according to the rules specified in RFC2045.
* @param str String to be encoded.
* @return String the encoded String value or null on error.
*/
try {
} catch (UnsupportedEncodingException uee) {
}
return encoded;
}
/**
* Returns the encoded request message.
* The SAML Request message must be
* encoded before being transmitted.
* The Request message is encoded as follows:
* 1. URL Encoded using the DEFLATE compression method.
* 2. Then the message is base-64 encoded according to
* the rules specified in RFC2045.
* @param str String to be encoded.
* @return String the encoded String value or null on error.
*/
byte[] input;
try {
} catch (UnsupportedEncodingException uee) {
return null;
}
try {
} catch (IOException e) {
return null;
} finally {
}
if (debug.messageEnabled()) {
}
return encoded;
}
/**
* Decodes the request message.
*
* @param str String to be decoded.
* @return String the decoded String.
*/
return null;
}
if (debug.messageEnabled()) {
}
return null;
}
// From the Inflater JavaDoc:
// Note: When using the 'nowrap' option it is also necessary to provide an extra "dummy" byte as input.
// This is required by the ZLIB native library in order to support certain optimizations.
int bufferLength = 2048;
try {
}
} catch (NumberFormatException nfe) {
}
// Decompress the bytes
InflaterInputStream inflaterInputStream = new InflaterInputStream(new ByteArrayInputStream(input), inflater);
try {
int b = inflaterInputStream.read();
while (b != -1) {
b = inflaterInputStream.read();
}
} catch (IOException e) {
return null;
} finally {
}
try {
} catch (UnsupportedEncodingException uee) {
return null;
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Removes new line character from a String.
*
* @param s String to remove newline characters from.
* @return String with newline characters trimmed.
*/
char[] chars = s.toCharArray();
for (int i = 0; i < len; i++) {
char c = chars[i];
if (c != '\n') {
}
}
} else {
retString = s;
}
return retString;
}
/**
* Returns an instance of <code>SAML2MetaManger</code>.
*
* @return Instance of <code>SAML2MetaManager</code>
*/
public static SAML2MetaManager getSAML2MetaManager() {
return saml2MetaManager;
}
/**
* Returns the realm.
* @param realm Realm object.
* @return realm if the input is not null or empty, otherwise
* return the root realm.
*/
"/" : realm;
}
/**
* Returns the realm
* @param paramsMap a map of parameters
* @return realm if the input map contains the realm, otherwise
* return the default realm from AMConfig.properties
*/
"/" : realm;
}
/**
* Returns the query parameter value for the param specified
* @param paramsMap a map of parameters
* @param attrName name of the parameter
* @return the value of this parameter
*/
}
}
return attrVal;
}
/**
* Returns a Map of paramters retrieved from the Query parameters
* in the HttpServletRequest.
*
* @param request the <code>HttpServletRequest</code>.
* @return a Map where the key is the parameter Name and
* value is of the type List.
*/
if (relayState != null) {
}
}
if (forceAuthN != null) {
}
if (allowCreate != null) {
}
}
if (destination != null) {
}
if (nameIDPolicy != null) {
}
}
if (acsUrlIndex != null) {
}
}
if (authComparison != null) {
}
}
if (authContextClassRef != null) {
}
}
}
if (reqBinding != null) {
}
}
return paramsMap;
}
/**
* as a List. The string passed to this method
* is a pipe separated value.
*
* @param str a pipe separated String to be parsed.
* @return List contained the parsed values.
*/
while (st.hasMoreTokens()) {
}
return ctxList;
}
/**
* Generates provider Source ID based on provider Entity ID. The returned
* is SHA-1 digest string.
* @param entityID Entity ID for example <code>http://host.sun.com:81</code>
* @return sourceID string
*/
return null;
}
try {
} catch (NoSuchAlgorithmException e) {
return null;
}
}
}
/**
* Extracts serverID from the specified id.
* @param id an id.
* @return the extracted id, or null if the given string is too short or null.
*/
return null;
}
return serverID;
}
/**
* Gets remote service URL according to server id embedded in specified id.
* @param id an id.
* @return remote service URL or null if it is local or an error occurred.
*/
if (debug.messageEnabled()) {
}
try {
return null;
}
if (debug.warningEnabled()) {
debug.warning("SAML2Utils.getRemoteServiceURL: the given id refers to a site and not a server: " + serverID);
}
return null;
}
if (debug.messageEnabled()) {
}
return null;
}
}
/**
* Generates ID with server id at the end.
* @return ID value.
*/
public static String generateIDWithServerID() {
return null;
}
return embedServerID(id);
}
/**
* Generates message handle with server id used in an <code>Artifact</code>.
*
* @return String format of 20-byte sequence identifying message.
*/
public static String generateMessageHandleWithServerID() {
return null;
}
return embedServerID(id);
}
/**
* Replaces last 2 chars of specified id with server id.
* @param id an id
* @return String with server id at the end.
*/
try {
// serverId is 2 digit string
} else if (debug.messageEnabled()) {
"invalid server id = " + serverId);
}
if (debug.messageEnabled()) {
}
}
return id;
}
/**
* Returns the server id of the local server
*/
public static String getLocalServerID() {
try {
if (debug.messageEnabled()) {
}
}
return serverId;
}
/**
* Creates <code>SOAPMessage</code> with the input XML String
* as message body.
* @param xmlString XML string to be put into <code>SOAPMessage</code> body.
* @param isClientMessage true if the message is sent from SOAP client to
* server.
* @return newly created <code>SOAPMessage</code>.
* @exception SOAPException if it cannot create the
* <code>SOAPMessage</code>.
*/
boolean isClientMessage)
throws SOAPException, SAML2Exception {
}
/**
* Creates <code>SOAPMessage</code> with the input XML String
* as message header and body.
* @param header XML string to be put into <code>SOAPMessage</code> header.
* @param body XML string to be put into <code>SOAPMessage</code> body.
* @param isClientMessage true if the message is sent from SOAP client to
* server.
* @return newly created <code>SOAPMessage</code>.
* @exception SOAPException if it cannot create the
* <code>SOAPMessage</code>.
*/
boolean isClientMessage)
throws SOAPException, SAML2Exception {
try {
if (isClientMessage) {
}
if (debug.messageEnabled()) {
}
.append(":Header>");
}
.append(":Body>");
}
if (debug.messageEnabled()) {
}
} catch (IOException io) {
}
return msg;
}
/**
* Converts a <code>SOAPMessage</code> to a <code>String</code>.
* @param message SOAPMessage object.
* @return the <code>String</code> converted from the
* <code>SOAPMessage</code> or null if an error ocurred.
*/
try {
} catch (IOException ie) {
return null;
} catch (SOAPException soapex) {
return null;
}
}
/**
* Returns SOAP body as DOM Element from SOAPMessage.
* @param message SOAPMessage object.
* @return SOAP body, return null if unable to get the SOAP body element.
*/
throws SAML2Exception {
// check the SOAP message for any SOAP
// related errros before passing control to SAML processor
try {
} catch (IOException ie) {
} catch (SOAPException se) {
}
}
"missingLocalName"));
}
"element is not Envelope or invalid name space or prefix");
"invalidSOAPElement"));
}
if (length <= 0 ) {
"missingSOAPBody"));
}
for (int i = 0; i < length; i++) {
continue;
}
if (debug.messageEnabled()) {
+ childName);
}
// found the Body element
}
}
"missingSOAPBody"));
}
/**
* Returns mime headers in HTTP servlet request.
* @param req HTTP servlet request.
* @return mime headers in HTTP servlet request.
*/
while (e.hasMoreElements()) {
if (debug.messageEnabled()) {
}
while (values.hasMoreTokens()) {
}
}
if (debug.messageEnabled()) {
}
return headers;
}
/**
* Sets mime headers in HTTP servlet response.
* @param headers mime headers to be set.
* @param res HTTP servlet response.
*/
public static void putHeaders(
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
} else {
int i = 0;
if (i != 0) {
}
}
}
}
}
/**
* Generates SAMLv2 Status object
* @param code Status code value.
* @param message Status message.
* @return Status object.
*/
}
/**
* Generates SAMLv2 Status object
* @param code Status code value.
* @param subCode second-level status code
* @param message Status message.
* @return Status object.
*/
try {
.createStatusCode();
}
.createStatusCode();
}
} catch (SAML2Exception e) {
}
return status;
}
/**
* Returns a <code>SAML Response</code> object containing error status
*
* @param request the <code>RequestAbstract</code> object
* @param code the error code
* @param subCode teh second-level error code
* @param statusMsg the error message
* @param issuerEntityID the entity id of the issuer
*
* @return the <code>SAML Response</code> object containing error status
* @exception SAML2Exception if the operation is not successful
*/
public static Response getErrorResponse(
throws SAML2Exception {
if (responseID == null) {
return null;
}
// sp initiated case, need to set InResponseTo attribute
}
// set the idp entity id as the response issuer
if (issuerEntityID != null) {
}
}
return errResp;
}
/**
* Returns first Element with given local name in samlp name space inside
* SOAP message.
* @param message SOAP message.
* @param localName local name of the Element to be returned.
* @return first Element matching the local name.
* @throws SAML2Exception if the Element could not be found or there is
* SOAP Fault present.
*/
public static Element getSamlpElement(
if (blength <= 0) {
}
for (int i = 0; i < blength; i++) {
continue;
}
if (debug.messageEnabled()) {
}
"soapFaultInSOAPResponse"));
node.getNamespaceURI())){
break;
}
}
}
return retElem;
}
/**
* Forms a SOAP Fault and puts it in the SOAP Message Body.
* @param faultCode Fault code.
* @param faultString Fault string.
* @param detail Fault details.
* @return SOAP Fault in the SOAP Message Body.
*/
public static SOAPMessage createSOAPFault(
try {
"Problem"));
}
} catch (SOAPException e) {
}
return msg;
}
/**
* Returns SOAP Message from <code>HttpServletRequest</code>.
* @param request <code>HttpServletRequest</code> includes SOAP Message.
* @return SOAPMessage if request include any soap message in the header.
* @throws IOException if error in creating input stream.
* @throws SOAPException if error in creating soap message.
*/
throws IOException, SOAPException {
// Get all the headers from the HTTP request
// Get the body of the HTTP request
// Create a SOAPMessage
}
/**
* Send SOAP Message to specified url and returns message from peer.
* @param xmlMessage <code>String</code> will be sent.
* @param soapUrl URL the mesaage send to.
* @param isClientMessage true if the message is sent from SOAP client to
* server.
* @return SOAPMessage if the peer send back any reply.
* @throws SOAPException if error in creating soap message.
* @throws SAML2Exception if error in creating soap message.
*/
throws SOAPException, SAML2Exception {
}
/**
* Returns encryption certificate alias name.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return alias name of certificate alias for encryption.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
}
/**
* Returns signing certificate alias name.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return alias name of certificate alias for signing.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
}
/**
* Returns signing certificate key password (encrypted).
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return The encrypted keypass of the private key used for signing.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
}
/**
* Returns true if wantAssertionEncrypted has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantAssertionEncrypted has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantEncrypted == null) {
wantEncrypted = "false";
}
}
/**
* Returns true if wantAttributeEncrypted has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantAttributeEncrypted has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantEncrypted == null) {
wantEncrypted = "false";
}
}
/**
* Returns true if wantNameIDEncrypted has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantNameIDEncrypted has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantEncrypted == null) {
wantEncrypted = "false";
}
}
/**
* Returns true if wantArtifactResolveSigned has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantArtifactResolveSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantArtifactResponseSigned has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantArtifactResponseSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantLogoutRequestSigned has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantLogoutRequestSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantLogoutResponseSigned has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantLogoutResponseSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantMNIRequestSigned has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantMNIRequestSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns true if wantMNIResponseSigned has <code>String</code> true.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantMNIResponseSigned has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Returns boolean value of specified attribute from SSOConfig.
* This method is used for boolean-valued attributes.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @param attrName attribute name for the value.
* @return value of specified attribute from SSOConfig.
*/
return false;
}
}
/**
* Returns single value of specified attribute from SSOConfig.
* This method is used for single-valued attributes.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @param attrName attribute name for the value.
* @return value of specified attribute from SSOConfig.
*/
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
} else {
return null;
}
}
/**
* Returns all values of specified attribute from SSOConfig.
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @param attrName attribute name for the value.
* @return value of specified attribute from SSOConfig.
*/
if (debug.messageEnabled()) {
}
try {
} else if (entityRole.equalsIgnoreCase(
} else if (entityRole.equalsIgnoreCase(
} else if (entityRole.equalsIgnoreCase(
}
return null;
}
return null;
}
} catch (SAML2MetaException e) {
}
return null;
}
/**
* Returns the role of host entity.
* @param paramsMap <code>Map</code> includes parameters.
* @return role name for hosted entity.
* @throws SAML2Exception if error in retrieving the parameters.
*/
throws SAML2Exception {
{
return roleName;
}
throw new SAML2Exception(
}
/**
* Returns true if this entity is acting as both SP and IDP.
* @param hostEntityId entity ID of the hosted entity.
* @param realm the realm the entity resides.
* @return true if this entity is acting as both SP and IDP,
* false otherwise.
*/
try {
return false;
}
return false;
}
return true;
} catch (Exception e) {
return false;
}
}
/**
* Returns url for redirection.
* @param request <code>HttpServletRequest</code> for redirecting.
* @param response <code>HttpServletResponse</code> for redirecting.
* @param realm realm of hosted entity.
* @param hostEntityID name of hosted entity.
* @param entityRole role of hosted entity.
* @throws IOException if error in redirecting request.
*/
public static void redirectAuthentication(
// get the authentication service url
// need to get it from the request
if (secondSlashIndex != -1) {
}
}
authUrl += "?goto=";
} else {
authUrl += "&goto=";
}
if (debug.messageEnabled()) {
}
}
/**
* Returns url for redirection.
* @param entityID entityID for Issuer.
* @return Issuer for the specified entityID.
* @throws SAML2Exception if error in creating Issuer element.
*/
throws SAML2Exception {
if (debug.messageEnabled()) {
}
return issuer;
}
/**
* Sign Query string.
*
* @param queryString URL query string that will be signed.
* @param realm realm of host entity.
* @param hostEntity entityID of host entity.
* @param hostEntityRole entity role of host entity.
* @return returns signed query string.
* @throws SAML2Exception if error in signing the query string.
*/
throws SAML2Exception {
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
}
} else {
}
if (signingKey == null) {
throw new SAML2Exception(
}
}
/**
* Verify Signed Query string.
*
* @param queryString URL query string that will be verified.
* @param realm realm of host entity.
* @param hostEntityRole entity role of host entity.
* @param remoteEntity entityID of peer entity.
* @return returns true if sign is valid.
* @throws SAML2Exception if error in verifying the signature.
*/
throws SAML2Exception {
if (debug.messageEnabled()) {
}
} else {
}
if (debug.messageEnabled()) {
}
if (signingCert == null) {
throw new SAML2Exception(
}
}
/**
* Parses the request parameters and return session object
* or redirect to login url.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias entityID of hosted entity.
* @param paramsMap Map of all other parameters.
* @return session object of <code>HttpServletRequest</code>.
* @throws SAML2Exception if error initiating request to remote entity.
*/
public static Object checkSession(
try {
} catch (SessionException se) {
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
"redirect to the authentication service");
}
// the user has not logged in yet,
// redirect to the authentication service
try {
} catch (IOException ioe) {
}
}
return session;
}
/**
* Returns a Name Identifier
*
* @return a String the Name Identifier. Null value
* is returned if there is an error in
* generating the Name Identifier.
*/
public static String createNameIdentifier() {
try {
byte[] handleBytes = new byte[21];
if (debug.messageEnabled()) {
}
} catch (Exception e) {
+ " Exception during proccessing request" + e.getMessage());
}
return handle;
}
/**
* Returns the Service Provider AuthnContext Mapper Object.
*
* @param authnCtxClassName Service Provider AuthnContext Mapper Class Name.
* @return SPAuthnContextMapper Object.
*/
public static SPAuthnContextMapper getSPAuthnContextMapper(
}
try {
} catch (ClassNotFoundException ce) {
+ " using Default AuthnContext Mapper");
}
} catch (InstantiationException ie) {
+ " using Default AuthnContext Mapper");
}
} catch (IllegalAccessException iae) {
+ " using Default AuthnContext Mapper");
}
} catch (Exception e) {
+ " using Default AuthnContext Mapper");
}
}
}
if (spAuthnCtx == null) {
spAuthnCtx = new DefaultSPAuthnContextMapper();
}
return spAuthnCtx;
}
/**
* Verifies <code>Issuer</code> in <code>Request</code> and returns
* true if the Issuer is part of COT
* SAML2 auth module only.
* @param realm realm of hosted entity.
* @param hostEntity name of hosted entity.
* @param reqIssuer <code>Issuer</code> of Request.
* @param requestId request ID
* @return true if issuer is valid.
* @throws SAML2Exception
*/
throws SAML2Exception {
if (issuerValid == false) {
if (debug.messageEnabled()) {
"Issuer in Request is not valid.");
}
data,
null);
throw new SAML2Exception(
}
return issuerValid;
}
/**
* Verifies <code>Issuer</code> in <code>Response</code> and returns
* true if the Issuer is part of COT
* @param realm realm of hosted entity.
* @param hostEntity name of hosted entity.
* @param resIssuer <code>Issuer</code> of Response.
* @param requestId request ID for the response.
* @return true if issuer is valid.
* @throws SAML2Exception
*/
throws SAML2Exception {
if (issuerValid == false) {
if (debug.messageEnabled()) {
"Issuer in Response is not valid.");
}
data,
null);
throw new SAML2Exception(
}
return issuerValid;
}
// get spExtended
try {
if (debug.messageEnabled()) {
}
if (spEntityCfg != null) {
}
} catch (COTException ce) {
"Error retreiving circle of trust",ce);
}
} catch (SAML2Exception s2e) {
"Error getting reader URL : ", s2e);
}
} catch (Exception e) {
"Error getting reader URL : ", e);
}
}
return readerURL;
}
/**
* Returns the Request URL.
* The getRequestURL does not alway returns the correct url
* so this method builds the URL by retrieving the protocol,port
* host name and deploy descriptor.
*
* @param request the <code>HttpServletRequest</code>.
* @return the Request URL string.
*/
}
} else {
}
baseURL += deployDesc;
}
return baseURL;
}
/**
* Returns the Identity Provider Entity Identifier.
* This method retrieves the _saml_idp query parameter
* from the request and parses it to get the idp entity
* id. If there are more then one idps then the last
* one is the preferred idp.
*
* @param request the <code>HttpServletRequest</code> .
* @return the identity provider entity identifier String.
*/
while (st.hasMoreTokens()) {
}
try {
} catch (Exception e) {
}
}
return idpEntityID;
}
/**
* Returns the redirect URL.
* This methods returns the complete reader redirect url.
* The RelayState and requestId parameter are appended to
* the URL to redirection back to the spSSOInit jsp.
*
* @param readerURL the readerURL to redirect to.
* @param requestID the unique identifier to identify the request.
* @param request the HttpServletRequest.
* @return redirectURL the URL to redirect to.
*/
} else {
}
return redirectURL;
}
/**
* Returns an <code>IDPAccountMapper</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
*
* @return the <code>IDPAccountMapper</code>
* @exception SAML2Exception if the operation is not successful
*/
public static IDPAccountMapper getIDPAccountMapper(
throws SAML2Exception {
try {
if (idpAccountMapperName == null) {
}
}
if (idpAccountMapper == null) {
} else {
"got the IDPAccountMapper from cache");
}
}
"Unable to get IDP Account Mapper.", ex);
throw new SAML2Exception(ex);
}
return idpAccountMapper;
}
/**
* Returns a <code>SAML2IdentityProviderAdapter</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
*
* @return the <code>SAML2IdentityProviderAdapter</code>
* @exception SAML2Exception if the operation is not successful
*/
public static SAML2IdentityProviderAdapter getIDPAdapterClass(
throws SAML2Exception {
try {
}
}
// Attempt to retrieve the adapter from the cache
idpAdapter = (SAML2IdentityProviderAdapter) IDPCache.idpAdapterCache.get(realm + "$" + idpEntityID + "$" + idpAdapterName);
if (idpAdapter == null) {
// NB: multiple threads may cause several adapter objects to be created
// Add the adapter to the cache after initialization
} else {
}
}
throw new SAML2Exception(ex);
}
return idpAdapter;
}
/**
* Returns an <code>SP</code> adapter class
*
* @param spEntityID the entity id of the service provider
* @param realm the realm name
*
* @return the <code>SP</code> adapter class
* @exception SAML2Exception if the operation is not successful
*/
public static SAML2ServiceProviderAdapter getSPAdapterClass(
throws SAML2Exception {
}
try {
"get SPAdapter class " + spAdapterClassName);
}
if ((spAdapterClassName != null) &&
if (spAdapterClass == null) {
"create new SPAdapter " + spAdapterClassName +
}
} else {
"got the SPAdapter " + spAdapterClassName +
" from cache");
}
}
}
} catch (InstantiationException ex) {
"Unable to get SP Adapter class instance.", ex);
throw new SAML2Exception(ex);
} catch (ClassNotFoundException ex) {
"SP Adapter class not found.", ex);
throw new SAML2Exception(ex);
} catch (IllegalAccessException ex) {
"Unable to get SP Adapter class.", ex);
throw new SAML2Exception(ex);
}
return spAdapterClass;
}
/**
* Returns a <code>Fedlet</code> adapter class.
*
* @param spEntityID the entity id of the service provider
* @param realm the realm name
*
* @return the <code>Fedlet</code> adapter class
* @exception SAML2Exception if the operation is not successful
*/
public static FedletAdapter getFedletAdapterClass(
throws SAML2Exception {
}
try {
"get FedletAdapter class " + fedletAdapterClassName);
}
if ((fedletAdapterClassName != null) &&
if (fedletAdapterClass == null) {
"create new FedletAdapter " +
}
} else {
"got the FedletAdapter " + fedletAdapterClassName +
" from cache");
}
}
}
} catch (InstantiationException ex) {
"Unable to get Fedlet Adapter class instance.", ex);
throw new SAML2Exception(ex);
} catch (ClassNotFoundException ex) {
"Fedlet Adapter class not found.", ex);
throw new SAML2Exception(ex);
} catch (IllegalAccessException ex) {
"Unable to get Fedlet Adapter class.", ex);
throw new SAML2Exception(ex);
}
return fedletAdapterClass;
}
/**
* Returns map based on A/V pair.
*/
return map;
}
for (int i = 0; i < size; i++) {
if (debug.messageEnabled()) {
}
continue;
}
if (pos == -1) {
if (debug.warningEnabled()) {
+ val + ". Value must be in key=value format.");
}
continue;
} else {
}
}
return map;
}
/**
* Returns an <code>SPAccountMapper</code>
*
* @param realm the realm name
* @param spEntityID the entity id of the service provider
*
* @return the <code>SPAccountMapper</code>
* @exception SAML2Exception if the operation is not successful
*/
public static SPAccountMapper getSPAccountMapper(
throws SAML2Exception {
try {
if (spAccountMapperName == null) {
}
}
if (spAccountMapper == null) {
} else {
"got the SPAccountMapper from cache");
}
}
"Unable to get SP Account Mapper.", ex);
throw new SAML2Exception(ex);
}
return spAccountMapper;
}
/**
* Returns an <code>SAML2IDPFinder</code> which is used to find a list
* of IDP's for ECP Request.
*
* @param realm the realm name
* @param spEntityID the entity id of the service provider
*
* @return the <code>SAML2IDPFinder</code>
* @exception SAML2Exception if the operation is not successful
*/
try {
}
if ((implClassName == null) ||
return null;
}
if (ecpRequestIDPListFinder == null) {
} else {
"got the ECP Request IDP List Finder from cache");
}
}
"Unable to get ECP Request IDP List Finder.", ex);
}
}
return ecpRequestIDPListFinder;
}
/**
* Returns the URL to which redirection will happen after
* Single-Signon / Federation. This methods checks the
* following parameters to determine the Relay State.
* 1. The "RelayState" query parameter in the request.
* 2. The "RelayStateAlias" query parameter in the
* request which is used in the absence of the
* RelayState parameter to determine which query parameter
* to use if no "RelayState" query paramerter is present.
* 3. The "goto" query parameter if present is the default
* RelayState in the absence of the above.
*
* @param request the <code>HttpServletRequest</code> object.
* @return the value of the URL to which to redirect on
* successful Single-SignOn / Federation.
*/
while (st.hasMoreTokens()) {
break;
}
}
}
if (relayState == null) {
// check if goto parameter is there.
}
}
return relayState;
}
/**
* Compares the destination and location
* @param destination Destination
* @param location the URL from the meta
* @return <code>true</code> if the input are the same,
* otherwise, return <code>false</code>
*/
/* Note:
Here we assume there is one endpoint per protocol. In future,
we may support more than one endpoint per protocol. The caller
code should change accordingly.
*/
}
/**
* Retrieves SAE related attributes from exended metadata.
* @param realm realm the FM provider is in
* @param entityId the entity ID of the FM provider
* @param role Role of the FM provider
* @param appUrl application url
* @return Map containing SAE parameters or null in case of error.
*/
public static Map getSAEAttrs(
{
return null;
}
try {
spConfig =
return null;
}
} else {
return null;
}
}
return null;
}
if (debug.messageEnabled()) {
}
while (st.hasMoreTokens()) {
if (debug.messageEnabled()) {
}
} else {
break;
}
{
}
}
if (debug.messageEnabled()) {
}
return hp;
}
}
}
} catch (SAML2MetaException e) {
}
return null;
}
/**
* Obtains the value of NameID from Response.
* @param response <code>Response</code> object
* @return value of the NameID from the first Assertion in the response.
* null if the response is null, or no assertion in the response, or
* no NameID in the assertion.
*/
}
}
}
}
return null;
}
/**
* Writes a log record in SAML2 access log.
* (fmSAML2.access)
*
* @param lvl indicating log level
* @param msgid Message id
* @param data string array of dynamic data only known during run time
* @param tok Session of authenticated user
* @param ipaddr IP Address.
* @param userid User Id.
* @param org Organization.
* @param module Module Name.
* @param props log record columns - used if tok is not available
* to specify log record columns such as ip address, realm, etc
*/
{
}
/**
* Writes error occurred in SAML2 component into a log
* (fmSAML2.error)
* @param lvl indicating log level
* @param msgid Message id
* @param data string array of dynamic data only known during run time
* @param tok Session of authenticated user
* @param ipaddr IP Address
* @param userid User Id
* @param org Organization
* @param module Module Name
* @param props log record columns - used if tok is not available
* to specify log record columns such as ip address, realm, etc
*/
public static void logError(
{
}
private static Map accumulateLogProps(
{
}
}
}
}
}
return props;
}
/**
* Returns the value of attribute from entity configuration.
*
* @param realm the realm of the entity.
* @param entityRole role of the entity (PEP or PDP).
* @param entityID identity of the entity.
* @param attrName name of attribute whose value is to be retreived.
* @return value of the attribute.
*/
public static String getAttributeValueFromXACMLConfig(
) {
if (debug.messageEnabled()) {
}
try {
}
} else {
entityID);
}
}
}
}
} catch (SAML2MetaException e) {
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Returns true if wantXACMLAuthzDecisionQuerySigned has
* <code>true</code> true.
*
* @param realm realm of hosted entity.
* @param entityID name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantXACMLAuthzDecisionQuerySigned
* has <code>String</code> true.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
if (wantSigned == null) {
wantSigned = "false";
}
}
/**
* Checks certificate validity with configured CRL
* @param cert x509 certificate
* @return <code>true</code> if the certificate is not in CRL,
* otherwise, return <code>false</code>
*/
boolean certgood = true;
if (checkCertStatus == false) {
if (debug.messageEnabled()) {
" CRL check is not configured. Just return it is good.");
}
return certgood;
}
certgood =
if (debug.messageEnabled()) {
}
return certgood;
}
/**
* Gets the <code>SPAttributeMapper</code>.
*
* @param realm The realm the SP belongs to.
* @param spEntityID The entity ID of the SP.
* @return The {@link SPAttributeMapper} defined in the configuration.
* @throws SAML2Exception if the processing failed.
*/
public static SPAttributeMapper getSPAttributeMapper(String realm, String spEntityID) throws SAML2Exception {
try {
if (spAttributeMapperName == null) {
}
}
throw new SAML2Exception(ex);
}
}
/**
* Returns the attribute map by parsing the configured map in hosted
* provider configuration
* @param realm realm name.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @return a map of local attributes configuration map.
* This map will have a key as the SAML attribute name and the value
* is the local attribute.
* @exception <code>SAML2Exception</code> if any failured.
*/
}
if (hostEntityID == null) {
}
if (debug.messageEnabled()) {
}
try {
}
if (debug.warningEnabled()) {
"configuration is not defined.");
}
return Collections.EMPTY_MAP;
}
if (debug.messageEnabled()) {
"Attribute map is not defined for entity: "+
}
return Collections.EMPTY_MAP;
}
if(debug.messageEnabled()) {
"Invalid entry." + entry);
}
continue;
}
}
return map;
} catch(SAML2MetaException sme) {
}
}
/**
* Returns the SAML <code>Attribute</code> object.
* @param name attribute name.
* @param values attribute values.
* @exception SAML2Exception if any failure.
*/
throws SAML2Exception {
}
//samlAttribute might be in format: NameFormat|Name
if (pipePos != -1) {
} else {
//TO DO: Put the message in the bundle libSAML2_XX.properties
throw new SAML2Exception("Wrong format of the attribute Name");
}
} else {
}
}
}
return attribute;
}
try {
} catch (ServletException sE) {
} catch (IOException ioE) {
}
}
/**
* Handles any exception when attempting to forward.
*
* @param exception
* Thrown and caught exception
* @throws SAML2Exception
* Single general exception that is thrown on
*/
}
/**
* Verifies specified name ID format and returns it. If specified name ID
* format is empty, returns name ID foramt supported by both IDP and SP.
*
* @param nameIDFormat name ID format.
* @param spsso SP meta data desciptor.
* @param idpsso IDP meta data desciptor.
* @exception SAML2Exception if name ID format is not supported.
*/
throws SAML2Exception {
// idpsso is null for ECP case
}
if ((idpNameIDFormatList == null) ||
(idpNameIDFormatList.isEmpty())){
if ((spNameIDFormatList == null) ||
(spNameIDFormatList.isEmpty())) {
return SAML2Constants.PERSISTENT;
} else {
}
} else {
if ((spNameIDFormatList == null) ||
(spNameIDFormatList.isEmpty())) {
} else {
nameIDFormat = null;
break;
}
}
if (nameIDFormat == null) {
"unsupportedNameIDFormatIDPSP"));
}
}
}
} else {
}
if (debug.messageEnabled()) {
"NameIDFormat not supported by SP: " + nameIDFormat);
}
throw new SAML2Exception(BUNDLE_NAME,
"unsupportedNameIDFormatSP", args);
}
if ((idpNameIDFormatList != null) &&
(!idpNameIDFormatList.isEmpty()) &&
if (debug.messageEnabled()) {
"NameIDFormat not supported by IDP: " + nameIDFormat);
}
throw new SAML2Exception(BUNDLE_NAME,
"unsupportedNameIDFormatIDP", args);
}
}
return nameIDFormat;
}
/**
* Returns true if the specified AuthnContextClassRef matches a list of
* requested AuthnContextClassRef.
*
* @param requestedACClassRefs a list of requested AuthnContextClassRef's
* @param acClassRef AuthnContextClassRef
* @param comparison the type of comparison
* @param acClassRefLevelMap a AuthnContextClassRef to AuthLevel map. Key
* is AuthnContextClassRef in <code>String</code> and value is
* AuthLevel in <code>Integer</code>
*
* @return true if the specified AuthnContextClassRef matches a list of
* requested AuthnContextClassRef
*/
}
return false;
}
return true;
}
}
return false;
}
", comparison = " + comparison);
}
"isAuthnContextMatching: requstedACClassRef = " +
}
if (level >= requestedLevel) {
return true;
}
}
return false;
"isAuthnContextMatching: requstedACClassRef = " +
}
if (level <= requestedLevel) {
return false;
}
}
return true;
"isAuthnContextMatching: requstedACClassRef = " +
}
if (level <= requestedLevel) {
return true;
}
}
return false;
}
return false;
}
/**
* Processes logout for external application. This will do a back channel
* HTTP POST to the external application logout URL with all the cookies
* and selected session property as HTTP header.
* @param request HttpServletRequest
* @param appLogoutURL external application logout URL
* @param session session object of the user
*/
try {
return;
}
// actual application logout URL without the session
// property query parameter
// name of the session property
// find out session property name from the URL
if (pos != -1) {
if (endPos != -1) {
endPos);
} else {
}
}
if (debug.messageEnabled()) {
", real logoutURL=" + logoutURL +
", session property name: " + sessProp);
}
conn.setDoOutput(true);
HttpURLConnection.setFollowRedirects(false);
conn.setInstanceFollowRedirects(false);
// replay cookies
if (strCookies != null) {
if (debug.messageEnabled()) {
}
}
// set header & content
int i = 0;
while (true) {
} else {
break;
}
}
}
}
if (debug.messageEnabled()) {
}
// Write the request to the HTTP server.
// Check response code
if (debug.messageEnabled()) {
}
} else {
+ conn.getResponseCode());
}
} catch (SessionException ex) {
} catch (IOException ex) {
}
}
// Get cookies string from HTTP request object
// Process Cookies
if (debug.messageEnabled()) {
}
cookieStr = new StringBuffer();
} else {
}
} else {
}
}
}
}
return (strCookies);
}
/**
* Returns value of attribute <code>wantPOSTResponseSigned</code>
* as a boolean value true to false.
*
* @param realm realm of hosted entity.
* @param hostEntityId name of hosted entity.
* @param entityRole role of hosted entity.
* @return true if wantPOSTResponseSigned has <code>String</code> true,
* otherwise false.
*/
String entityRole) {
if (debug.messageEnabled()) {
}
}
/**
* Checks if a profile binding is suppported by a SP.
* @param realm Realm the SP is in.
* @param spEntityID SP entity id.
* @param binding binding to be checked on
* @return <code>true</code> if the binding is supported;
* <code>false</code> otherwise.
*/
public static boolean isSPProfileBindingSupported(
{
if ((saml2MetaManager == null) ||
{
return false;
}
try {
}
return true;
}
}
}
} catch (SAML2MetaException me) {
}
return false;
}
/**
* Checks if a profile binding is suppported by an IDP.
* @param realm Realm the IDP is in.
* @param idpEntityID IDP entity id.
* @param binding binding to be checked on
* @return <code>true</code> if the binding is supported;
* <code>false</code> otherwise.
*/
public static boolean isIDPProfileBindingSupported(
{
if ((saml2MetaManager == null) ||
{
return false;
}
try {
} else if (
{
} else if (
{
} else if (
{
} else if (
{
}
return true;
}
}
}
} catch (SAML2MetaException me) {
}
return false;
}
/**
* Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
*
* @param request Used to help establish the realm and hostEntityID.
* @param relayState The URL to validate.
* @param role The role of the caller.
* @return <code>true</code> if the relayState is valid.
*/
public static boolean isRelayStateURLValid(HttpServletRequest request, String relayState, String role) {
//try to acquire the metaAlias from request parameter
}
}
/**
* Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
*
* @param metaAlias The metaAlias of the hosted entity.
* @param relayState The URL to validate.
* @param role The role of the caller.
* @return <code>true</code> if the relayState is valid.
*/
boolean result = false;
try {
if (hostEntityID != null) {
result = true;
}
} catch (SAML2Exception e) {
if (debug.messageEnabled()) {
}
result = false;
}
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Validates the Relay State URL against a list of valid Relay State
* URLs created on the hosted service provider.
*
* @param orgName realm or organization name the provider resides in.
* @param hostEntityId Entity ID of the hosted provider.
* @param relayState Relay State URL.
* @throws SAML2Exception if the processing failed.
*/
public static void validateRelayStateURL(
// Check for the validity of the RelayState URL.
}
}
}
/**
* Sends the request to the original Federation server and receives the result
* data.
*
* @param request HttpServletRequest to be sent
* @param response HttpServletResponse to be received
* @param sloServerUrl URL of the original federation server to be
* connected
*
* @return HashMap of the result data from the original server's response
*
*/
// Print request Headers
if (debug.messageEnabled()) {
}
}
// Open URL connection
try {
if (debug.messageEnabled()) {
}
if (isGET) {
} else {
conn.setDoOutput(true);
}
HttpURLConnection.setFollowRedirects(false);
conn.setInstanceFollowRedirects(false);
// replay cookies
if (strCookies != null) {
if (debug.messageEnabled()) {
}
}
conn.setRequestProperty(SAMLConstants.ACCEPT_LANG_HEADER, request.getHeader(SAMLConstants.ACCEPT_LANG_HEADER));
// do the remote connection
if (isGET) {
} else {
}
if (debug.messageEnabled()) {
}
try {
} catch (IOException ioe) {
} finally {
}
}
// Receiving input from Original Federation server...
if (debug.messageEnabled()) {
}
// Input from Original servlet...
int len;
char[] buf = new char[1024];
}
if (debug.messageEnabled()) {
}
if (redirect_url != null) {
}
// retrieves cookies from the response
if (debug.messageEnabled()) {
}
}
return origRequestData;
}
// parses the cookies from the response header and adds them in
// the HTTP response.
// TODO: This is a copy from AuthClientUtils, need to refactor into OpenAM
// common
if (debug.messageEnabled()) {
}
return;
}
continue;
}
if (debug.messageEnabled()) {
+ cookieStr);
}
while (stz.hasMoreTokens()) {
if (index == -1) {
continue;
}
// we can ignore this cookie
continue;
}
/* decode the cookie if it is already URLEncoded,
* we have to pass non URLEncoded cookie to
* createCookie method
*/
if (isURLEncoded(nameOfValue)) {
try {
// this would not happen for UTF-8
}
}
// we don't care about the cookie expiry
continue;
path = nameOfValue;
} else {
}
}
}
}
}
}
}
}
/**
* Checks if the provided <code>String</code> is URLEncoded. Our logic is
* simple. If the string has % or + character we treat as URL encoded
*
* TODO : Copied from AuthClientUtils, refactor
*
* @param s
* the <code>String</code> we want to check
* @return <code>true</code> if the provided string is URLEncoded,
* <code>false</code> otherwise.
*/
private static boolean isURLEncoded(String s) {
boolean urlEncoded = false;
if (s != null) {
urlEncoded = true;
}
}
return urlEncoded;
}
/**
* Creates a Cookie with the <code>cookieName</code>,
* <code>cookieValue</code> for the cookie domains specified.
*
* TODO: Copied from AuthClientUtils Refactor
*
* @param cookieName
* is the name of the cookie
* @param cookieValue
* is the value fo the cookie
* @param cookieDomain
* Domain for which the cookie is to be set.
* @param path
* The path into which the cookie shall be set
* @return the cookie object.
*/
if (debug.messageEnabled()) {
}
try {
path, cookieDomain);
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
}
return cookie;
}
/**
* Return true if the User for this session has a profile set to Ignore
* @param session session object of the user
* @return true if the User for this session has a profile set to Ignore
*/
boolean result = false;
//ISAuthConstants.USER_PROFILE
//ISAuthConstants.IGNORE
}
if (debug.messageEnabled()) {
+ "User profile from session = "
}
} else {
if (debug.messageEnabled()) {
}
}
return result;
}
}