/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: WSFederationUtils.java,v 1.6 2009/10/28 23:58:58 exu Exp $
*
* Portions Copyrighted 2015-2016 ForgeRock AS.
*/
/**
* Utility methods for WS-Federation implementation.
*/
public class WSFederationUtils {
/**
* <code>Debug</code> instance for use by WS-Federation implementation.
*/
/**
* Resource bundle for the WS-Federation implementation.
*/
/*
* Map from reply URL to wctx parameter.
*/
private static final RedirectUrlValidator<ValidWReplyExtractor.WSFederationEntityInfo> WREPLY_VALIDATOR =
static {
try {
} catch (DataStoreProviderException dse) {
throw new ExceptionInInitializerError(dse);
}
try {
} catch (SessionException se) {
throw new ExceptionInInitializerError(se);
}
try {
metaManager = new WSFederationMetaManager();
} catch (WSFederationMetaException we) {
throw new ExceptionInInitializerError(we);
}
}
/*
* Private constructor ensure that no instance is ever created
*/
private WSFederationUtils() {
}
/**
* Returns an instance of <code>WSFederationMetaManager</code>.
* @return an instance of <code>WSFederationMetaManager</code>.
*/
return metaManager;
}
/**
* Extracts the home account realm from the user agent HTTP header.
* @param uaHeader user agent HTTP header. User agent header must be
* semi-colon separated, of the form <code>Mozilla/4.0 (compatible;
* MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1;
* amWSFederationAccountRealm:Adatum Corp)</code>.
* @param accountRealmCookieName identifier with which to search user agent
* HTTP header.
* @return the home account realm name.
*/
{
// UA String is of form "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
// 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1;
// amWSFederationAccountRealm:Adatum Corp)"
if ( leftBracket == -1 ) {
if (debug.warningEnabled()) {
}
return null;
}
if (debug.warningEnabled()) {
}
return null;
}
if (debug.warningEnabled()) {
}
return null;
}
// insideBrackets is of form "compatible; MSIE 6.0; Windows NT 5.1; SV1;
// .NET CLR 1.1.4322; InfoPath.1;
// amWSFederationAccountRealm:Adatum Corp"
// Split string on matches of any amount of whitespace surrounding a
// semicolon
if (debug.warningEnabled()) {
}
return null;
}
// uaFields[] is of form {"compatible", "MSIE 6.0", "Windows NT 5.1",
// "SV1", ".NET CLR 1.1.4322", "InfoPath.1",
// "amWSFederationAccountRealm:Adatum Corp"}
// Split this field on matches of any amount of whitespace
// surrounding a colon
if (debug.warningEnabled()) {
"can't see accountRealm in " + uaFields[i]);
}
return null;
}
if (debug.warningEnabled()) {
uaFields[i]);
}
return null;
}
return keyValue[1];
}
}
return null;
}
/**
* Put a reply URL in the wctx->wreply map.
* @param wreply reply URL
* @return value for WS-Federation context parameter (wctx).
*/
synchronized (wctxMap)
{
}
return wctx;
}
/**
* Remove and return a reply URL from the wctx->wreply map.
* @param wctx WS-Federation context parameter
* @return reply URL
*/
synchronized (wctxMap)
{
}
return wreply;
}
/**
* Determine the validity of the signature on the <code>Assertion</code>
* @param assertion SAML 1.1 Assertion
* @param realm Realm for the issuer
* @param issuer Assertion issuer - used to retrieve certificate for
* signature validation.
* @return true if the signature on the object is valid; false otherwise.
*/
{
boolean valid = false;
try {
true);
} catch (WSFederationMetaException ex) {
valid = false;
} catch (SAML2Exception ex) {
valid = false;
}
if ( ! valid )
{
};
data,
null);
}
return valid;
}
/**
* Determines the timeliness of the assertion.
* @param assertion SAML 1.1 Assertion
* @param timeskew in seconds
* @return true if the current time is after the Assertion's notBefore time
* - timeskew AND the current time is before the Assertion's notOnOrAfter
* time + timeskew
*/
{
long timeNow = currentTimeMillis();
if (notOnOrAfter == null ) {
data,
null);
return false;
data,
null);
return false;
}
data,
null);
return false;
data,
null);
return false;
}
return true;
}
/**
* Processes Single Logout cross multiple federation protocols
* @param request HttpServletRequest object.
* @param response HttpServletResponse object
*/
try {
// assume WS-Federation logout always succeed as there is not
// logout status from the specification
// TODO : find out spEntityID/logout request if any
}
} catch (SessionException ex) {
// ignore;
} catch (IOException ex) {
// ignore;
// ignore;
}
}
/**
* Convenience method to validate a WSFederation wreply URL, often called from a JSP.
*
* @param request Used to help establish the realm and hostEntityID.
* @param relayState The URL to validate.
* @return <code>true</code> if the wreply is valid.
*/
try {
} catch (WSFederationMetaException e) {
return false;
}
}
/**
* Convenience method to validate a WSFederation wreply URL, often called from a JSP.
*
* @param metaAlias The metaAlias of the hosted entity.
* @param wreply The URL to validate.
* @param role The role of the caller.
* @return <code>true</code> if the wreply is valid.
*/
boolean result = false;
try {
if (hostEntityID != null) {
result = true;
}
} catch (WSFederationException e) {
if (debug.messageEnabled()) {
}
result = false;
}
}
if (debug.messageEnabled()) {
}
return result;
}
/**
* Validates the Wreply URL against a list of wreply State
* URLs created on the hosted service provider.
*
* @param orgName realm or organization name the provider resides in.
* @param hostEntityId Entity ID of the hosted provider.
* @param wreply wreply URL.
* @throws WSFederationException if the processing failed.
*/
public static void validateWReplyURL(
// Check for the validity of the RelayState URL.
}
}
}
/**
* Creates a SAML 1.1 token object based on the provided details.
*
* @param realm The realm of the WS-Fed entities
* @param idpEntityId The WS-Fed IdP (IP) entity ID.
* @param spEntityId The WS-Fed SP (RP) entity ID.
* @param session The authenticated session object.
* @param spTokenIssuerName The name of the token issuer corresponding to the SP (RP).
* @param authMethod The authentication method to specify in the AuthenticationStatement.
* @param wantAssertionSigned Whether the assertion should be signed.
* @return A SAML1.1 token.
* @throws WSFederationException If there was an error while creating the SAML1.1 token.
*/
public static SAML11RequestedSecurityToken createSAML11Token(String realm, String idpEntityId, String spEntityId,
throws WSFederationException {
throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
}
try {
authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
} catch (SessionException se) {
throw new WSFederationException(se);
}
IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
final Date authInstant;
authInstant = newDate();
} else {
try {
} catch (ParseException pe) {
throw new WSFederationException(pe);
}
}
SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE, SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT);
String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
// SP wants us to sign the assertion, but we don't have a signing cert
}
if (!wantAssertionSigned) {
// SP doesn't want us to sign the assertion, so pass null certAlias to indicate no assertion signature
// required
}
}
throws WSFederationException {
if (accountMapperList != null) {
try {
.newInstance();
} catch (ReflectiveOperationException roe) {
throw new WSFederationException(roe);
}
}
if (accountMapper == null) {
}
return accountMapper;
}
throws WSFederationException {
if (attrMapperList != null) {
try {
attrMapper = Class.forName(attrMapperList.get(0)).asSubclass(IDPAttributeMapper.class).newInstance();
} catch (ReflectiveOperationException roe) {
throw new WSFederationException(roe);
}
}
if (attrMapper == null) {
}
return attrMapper;
}
}