wsfederation/common/WSFederationUtils.java

ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts/*
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: WSFederationUtils.java,v 1.6 2009/10/28 23:58:58 exu Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * Portions Copyrighted 2015-2016 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.wsfederation.common;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.multiprotocol.SingleLogoutManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.saml.assertion.NameIdentifier;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.shared.DateUtils;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.meta.WSFederationMetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.io.IOException;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport java.util.Collections;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport java.text.ParseException;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport java.util.List;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport java.util.Map;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.logging.Level;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.debug.Debug;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.locale.Locale;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.xmlsig.SigManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.key.KeyUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.logging.LogUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.meta.WSFederationMetaManager;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTELimport com.sun.identity.wsfederation.meta.WSFederationMetaUtils;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.plugins.IDPAccountMapper;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.plugins.IDPAttributeMapper;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTELimport com.sun.identity.wsfederation.plugins.whitelist.ValidWReplyExtractor;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.cert.X509Certificate;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Date;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashMap;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.ResourceBundle;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Set;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTELimport org.forgerock.openam.shared.security.whitelist.RedirectUrlValidator;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport org.forgerock.openam.utils.StringUtils;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Utility methods for WS-Federation implementation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class WSFederationUtils {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * <code>Debug</code> instance for use by WS-Federation implementation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static Debug debug =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Debug.getInstance(WSFederationConstants.AM_WSFEDERATION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Resource bundle for the WS-Federation implementation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static ResourceBundle bundle = Locale.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        getInstallResourceBundle(WSFederationConstants.BUNDLE_NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /*
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Map from reply URL to wctx parameter.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private static HashMap wctxMap = new HashMap();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private static WSFederationMetaManager metaManager = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static DataStoreProvider dsProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static SessionProvider sessionProvider = null;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    private static final RedirectUrlValidator<ValidWReplyExtractor.WSFederationEntityInfo> WREPLY_VALIDATOR =
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            new RedirectUrlValidator<ValidWReplyExtractor.WSFederationEntityInfo>(new ValidWReplyExtractor());
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    static {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String classMethod = "WSFederationUtils static initializer: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            DataStoreProviderManager dsManager =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    DataStoreProviderManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            dsProvider = dsManager.getDataStoreProvider(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                WSFederationConstants.WSFEDERATION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.error(classMethod + "DataStoreProviderException : ", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            throw new ExceptionInInitializerError(dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.error( classMethod + "Error getting SessionProvider.", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            throw new ExceptionInInitializerError(se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            metaManager = new WSFederationMetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (WSFederationMetaException we) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.error( classMethod + "Error getting meta service.", we);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            throw new ExceptionInInitializerError(we);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /*
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Private constructor ensure that no instance is ever created
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private WSFederationUtils() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns an instance of <code>WSFederationMetaManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return an instance of <code>WSFederationMetaManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static WSFederationMetaManager getMetaManager() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return metaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Extracts the home account realm from the user agent HTTP header.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param uaHeader user agent HTTP header. User agent header must be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * semi-colon separated, of the form <code>Mozilla/4.0 (compatible;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * amWSFederationAccountRealm:Adatum Corp)</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param accountRealmCookieName identifier with which to search user agent
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * HTTP header.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return the home account realm name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static String accountRealmFromUserAgent( String uaHeader,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String accountRealmCookieName )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String classMethod = "WSFederationUtils.accountRealmFromUserAgent";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // UA String is of form "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // amWSFederationAccountRealm:Adatum Corp)"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        int leftBracket = uaHeader.indexOf('(');
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ( leftBracket == -1 ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                debug.warning(classMethod + "Can't find left bracket");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        int rightBracket = uaHeader.lastIndexOf(')');
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ( rightBracket == -1 || rightBracket < leftBracket ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                debug.warning(classMethod + "Can't find right bracket");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String insideBrackets = uaHeader.substring(leftBracket+1,rightBracket);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ( insideBrackets.length() == 0 ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                debug.warning(classMethod + "zero length between brackets");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // insideBrackets is of form "compatible; MSIE 6.0; Windows NT 5.1; SV1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // .NET CLR 1.1.4322; InfoPath.1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // amWSFederationAccountRealm:Adatum Corp"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // Split string on matches of any amount of whitespace surrounding a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // semicolon
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String uaFields[] = insideBrackets.split("[\\s]*;[\\s]*");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ( uaFields == null ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                debug.warning(classMethod + "zero length between brackets");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // uaFields[] is of form {"compatible", "MSIE 6.0", "Windows NT 5.1",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // "SV1", ".NET CLR 1.1.4322", "InfoPath.1",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // "amWSFederationAccountRealm:Adatum Corp"}
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        for ( int i = 0; i < uaFields.length; i++ ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if ( uaFields[i].indexOf(accountRealmCookieName) != -1 ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                // Split this field on matches of any amount of whitespace
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                // surrounding a colon
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                String keyValue[] = uaFields[i].split("[\\s]*:[\\s]*");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                if ( keyValue.length < 2 ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    if (debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                        debug.warning(classMethod +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                            "can't see accountRealm in " + uaFields[i]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                if ( ! keyValue[0].equals(accountRealmCookieName)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    if (debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                        debug.warning(classMethod + "can't understand " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                            uaFields[i]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                return keyValue[1];
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Put a reply URL in the wctx-&gt;wreply map.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param wreply reply URL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return value for WS-Federation context parameter (wctx).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static String putReplyURL(String wreply) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String wctx = SAML2Utils.generateID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        synchronized (wctxMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            wctxMap.put(wctx,wreply);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return wctx;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Remove and return a reply URL from the wctx-&gt;wreply map.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param wctx WS-Federation context parameter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return reply URL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static String removeReplyURL(String wctx) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String wreply = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        synchronized (wctxMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            wreply = (String) wctxMap.remove(wctx);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return wreply;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Determine the validity of the signature on the <code>Assertion</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param assertion SAML 1.1 Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param realm Realm for the issuer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param issuer Assertion issuer - used to retrieve certificate for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * signature validation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return true if the signature on the object is valid; false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static boolean isSignatureValid(Assertion assertion, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String issuer)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        boolean valid = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String signedXMLString = assertion.toString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String id = assertion.getAssertionID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            FederationElement idp =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                metaManager.getEntityDescriptor(realm, issuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            X509Certificate cert = KeyUtil.getVerificationCert(idp, issuer,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            XMLSignatureManager manager = XMLSignatureManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            valid = SigManager.getSigInstance().verify(
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings                signedXMLString, id, Collections.singleton(cert));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (WSFederationMetaException ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            valid = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (SAML2Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            valid = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ( ! valid )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                signedXMLString : id,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                realm, issuer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    LogUtil.INVALID_SIGNATURE_ASSERTION,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return valid;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Determines the timeliness of the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param assertion SAML 1.1 Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param timeskew in seconds
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return true if the current time is after the Assertion's notBefore time
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * - timeskew AND the current time is before the Assertion's notOnOrAfter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * time + timeskew
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static boolean isTimeValid(Assertion assertion, int timeskew)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String classMethod = "WSFederationUtils.isTimeValid: ";
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts        long timeNow = currentTimeMillis();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Date notOnOrAfter = assertion.getConditions().getNotOnorAfter();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String assertionID = assertion.getAssertionID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (notOnOrAfter == null ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                assertion.toString(true,true) : assertionID};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    LogUtil.MISSING_CONDITIONS_NOT_ON_OR_AFTER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } else if ((notOnOrAfter.getTime() + timeskew * 1000) < timeNow ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                assertion.toString(true,true) : assertionID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                notOnOrAfter.toString(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                Integer.toString(timeskew),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                (new Date(timeNow)).toString()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    LogUtil.ASSERTION_EXPIRED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Date notBefore = assertion.getConditions().getNotBefore();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ( notBefore == null ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                assertion.toString(true,true) : assertionID};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    LogUtil.MISSING_CONDITIONS_NOT_BEFORE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } else if ((notBefore.getTime() - timeskew * 1000) > timeNow ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                assertion.toString(true,true) : assertionID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                notBefore.toString(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                Integer.toString(timeskew),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                (new Date(timeNow)).toString()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            LogUtil.error(Level.INFO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    LogUtil.ASSERTION_NOT_YET_VALID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Processes Single Logout cross multiple federation protocols
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param request HttpServletRequest object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param response HttpServletResponse object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public static void processMultiProtocolLogout(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        HttpServletResponse response, Object userSession) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        debug.message("WSFederationUtils.processMPSingleLogout");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String wreply = (String)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                request.getAttribute(WSFederationConstants.LOGOUT_WREPLY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String realm = (String)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                request.getAttribute(WSFederationConstants.REALM_PARAM);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String idpEntityId = (String)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                request.getAttribute(WSFederationConstants.ENTITYID_PARAM);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            Set sessSet = new HashSet();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            sessSet.add(userSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String sessUser =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                SessionManager.getProvider().getPrincipalName(userSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // assume WS-Federation logout always succeed as there is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // logout status from the specification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            SingleLogoutManager manager = SingleLogoutManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // TODO : find out spEntityID/logout request if any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            int status = manager.doIDPSingleLogout(sessSet, sessUser,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                request, response, false, true, SingleLogoutManager.WS_FED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                realm, idpEntityId, null, wreply, null, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (status != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                response.sendRedirect(wreply);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (SessionException ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // ignore;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (IOException ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // ignore;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // ignore;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    /**
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * Convenience method to validate a WSFederation wreply URL, often called from a JSP.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     *
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param request    Used to help establish the realm and hostEntityID.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param relayState The URL to validate.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @return <code>true</code> if the wreply is valid.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     */
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    public static boolean isWReplyURLValid(HttpServletRequest request, String relayState) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        String metaAlias = WSFederationMetaUtils.getMetaAliasByUri(request.getRequestURI());
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        try {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            WSFederationMetaManager metaManager = new WSFederationMetaManager();
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            return isWReplyURLValid(metaAlias, relayState, metaManager.getRoleByMetaAlias(metaAlias));
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        } catch (WSFederationMetaException e) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            debug.warning("Can't get metaManager.", e);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            return false;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    /**
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * Convenience method to validate a WSFederation wreply URL, often called from a JSP.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     *
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param metaAlias  The metaAlias of the hosted entity.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param wreply The URL to validate.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param role       The role of the caller.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @return <code>true</code> if the wreply is valid.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     */
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    public static boolean isWReplyURLValid(String metaAlias, String wreply, String role) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        boolean result = false;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        if (metaAlias != null) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            String realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            try {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                String hostEntityID = WSFederationUtils.getMetaManager().getEntityByMetaAlias(metaAlias);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                if (hostEntityID != null) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                    validateWReplyURL(realm, hostEntityID, wreply, role);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                    result = true;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            } catch (WSFederationException e) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                if (debug.messageEnabled()) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                    debug.message("WSFederationUtils.isWReplyURLValid(): wreply " + wreply +
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                            " for role " + role + " triggered an exception: " + e.getMessage(), e);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                result = false;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        if (debug.messageEnabled()) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            debug.message("WSFederationUtils.isWReplyURLValid(): wreply " + wreply +
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                    " for role " + role + " was valid? " + result);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        return result;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    /**
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * Validates the Wreply URL against a list of wreply State
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * URLs created on the hosted service provider.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     *
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param orgName      realm or organization name the provider resides in.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param hostEntityId Entity ID of the hosted provider.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param wreply       wreply URL.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @param role         IDP/SP Role.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     * @throws WSFederationException if the processing failed.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL     */
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    public static void validateWReplyURL(
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            String orgName,
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            String hostEntityId,
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            String wreply,
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            String role) throws WSFederationException {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        // Check for the validity of the RelayState URL.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        if (wreply != null && !wreply.isEmpty()) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            if (!WREPLY_VALIDATOR.isRedirectUrlValid(wreply,
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                    ValidWReplyExtractor.WSFederationEntityInfo.from(orgName, hostEntityId, role))) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL                throw new WSFederationException(WSFederationUtils.bundle.getString("invalidWReplyUrl"));
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL            }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL        }
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL    }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    /**
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * Creates a SAML 1.1 token object based on the provided details.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     *
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param realm The realm of the WS-Fed entities
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param idpEntityId The WS-Fed IdP (IP) entity ID.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param spEntityId The WS-Fed SP (RP) entity ID.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param session The authenticated session object.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param spTokenIssuerName The name of the token issuer corresponding to the SP (RP).
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param authMethod The authentication method to specify in the AuthenticationStatement.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @param wantAssertionSigned Whether the assertion should be signed.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @return A SAML1.1 token.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     * @throws WSFederationException If there was an error while creating the SAML1.1 token.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major     */
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    public static SAML11RequestedSecurityToken createSAML11Token(String realm, String idpEntityId, String spEntityId,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            Object session, String spTokenIssuerName, String authMethod, boolean wantAssertionSigned)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throws WSFederationException {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        final IDPSSOConfigElement idpConfig = metaManager.getIDPSSOConfig(realm, idpEntityId);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (idpConfig == null) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            debug.error("Cannot find configuration for IdP " + idpEntityId);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        String authSSOInstant;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        try {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        } catch (SessionException se) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throw new WSFederationException(se);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        List attributes = attrMapper.getAttributes(session, idpEntityId, spEntityId, realm);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        final Date authInstant;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (StringUtils.isEmpty(authSSOInstant)) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            authInstant = newDate();
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        } else {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            try {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                authInstant = DateUtils.stringToDate(authSSOInstant);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            } catch (ParseException pe) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                throw new WSFederationException(pe);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        NameIdentifier nameIdentifier = accountMapper.getNameID(session, realm, idpEntityId, spEntityId);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        int notBeforeSkew = WSFederationMetaUtils.getIntAttribute(idpConfig,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE, SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        int effectiveTime = WSFederationMetaUtils.getIntAttribute(idpConfig,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE, SAML2Constants.ASSERTION_EFFECTIVE_TIME);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (wantAssertionSigned && certAlias == null) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            // SP wants us to sign the assertion, but we don't have a signing cert
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            debug.error("SP wants signed assertion, but no signing cert is configured");
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throw new WSFederationException(WSFederationUtils.bundle.getString("noIdPCertAlias"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (!wantAssertionSigned) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            // SP doesn't want us to sign the assertion, so pass null certAlias to indicate no assertion signature
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            // required
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            certAlias = null;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        return new SAML11RequestedSecurityToken(realm, spTokenIssuerName, idpEntityId,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                notBeforeSkew, effectiveTime, certAlias, authMethod, authInstant,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                nameIdentifier, attributes);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    private static IDPAccountMapper getIDPAccountMapper(Map<String, List<String>> attributes)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throws WSFederationException {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        IDPAccountMapper accountMapper = null;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        List<String> accountMapperList = attributes.get( SAML2Constants.IDP_ACCOUNT_MAPPER);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (accountMapperList != null) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            try {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                accountMapper = Class.forName(accountMapperList.get(0)).asSubclass(IDPAccountMapper.class)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                        .newInstance();
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            } catch (ReflectiveOperationException roe) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                throw new WSFederationException(roe);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (accountMapper == null) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throw new WSFederationException(WSFederationUtils.bundle.getString("failedAcctMapper"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        return accountMapper;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    private static IDPAttributeMapper getIDPAttributeMapper(Map<String, List<String>> attributes)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throws WSFederationException {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        IDPAttributeMapper attrMapper = null;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        List<String> attrMapperList = attributes.get(SAML2Constants.IDP_ATTRIBUTE_MAPPER);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (attrMapperList != null) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            try {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                attrMapper = Class.forName(attrMapperList.get(0)).asSubclass(IDPAttributeMapper.class).newInstance();
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            } catch (ReflectiveOperationException roe) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major                throw new WSFederationException(roe);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        if (attrMapper == null) {
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major            throw new WSFederationException(WSFederationUtils.bundle.getString("failedAttrMapper"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        }
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major        return attrMapper;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}