saml2/jsp/idpSingleLogoutRedirect.jsp

	idpSingleLogoutRedirect.jsp revision 881ea1b9f1a22a7d7bf65c6c2bf46ca282641f82
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%--
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   The contents of this file are subject to the terms
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   of the Common Development and Distribution License
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   (the License). You may not use this file except in
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   compliance with the License.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   You can obtain a copy of the License at
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   https://opensso.dev.java.net/public/CDDLv1.0.html or
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   opensso/legal/CDDLv1.0.txt
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   See the License for the specific language governing
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   permission and limitations under the License.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   When distributing Covered Code, include this CDDL
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   Header Notice in each file and include the License file
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   at opensso/legal/CDDLv1.0.txt.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   If applicable, add the following below the CDDL Header,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   with the fields enclosed by brackets [] replaced by
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   your own identifying information:
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   "Portions Copyrighted [year] [name of copyright owner]"
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   $Id: idpSingleLogoutRedirect.jsp,v 1.9 2009/06/12 22:21:42 mallas Exp $
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis--%>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%--
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis   Portions Copyrighted 2013 ForgeRock AS
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis--%>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="com.sun.identity.saml2.profile.IDPCache" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="com.sun.identity.saml2.profile.IDPSingleLogout" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%@ page import="org.owasp.esapi.ESAPI" %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%--
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    idpSingleLogoutRedirect.jsp
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    - receives the LogoutRequest and sends the LogoutResponse to
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    Service Provider from the Identity Provider.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    OR
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    - receives the LogoutResponse from the Service Provider.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    Required parameters to this jsp are :
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    - RelayState - the target URL on successful Single Logout
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    - SAMLRequest - the LogoutRequest
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    OR
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    - SAMLResponse - the LogoutResponse
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    Check the SAML2 Documentation for supported parameters.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis--%>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<html>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<head>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    <title>SAMLv2 Single Logout Redirect binding at IDP</title>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis</head>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<body bgcolor="#FFFFFF" text="#000000">
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis<%
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    // Retrieves the LogoutRequest or LogoutResponse
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    //Retrieves :
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    //- RelayState - the target URL on successful Single Logout
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    //- SAMLRequest - the LogoutRequest
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    //OR
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    //- SAMLResponse - the LogoutResponse
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    if (relayState != null) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        String tmpRs = (String) IDPCache.relayStateCache.remove(relayState);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        if (tmpRs != null) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            relayState = tmpRs;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    if (!ESAPI.validator().isValidInput("HTTP Query String: " + relayState, relayState, "HTTPQueryString", 2000, true)) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        relayState = null;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    String samlResponse = request.getParameter(SAML2Constants.SAML_RESPONSE);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    if (samlResponse != null) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        boolean doRelayState = true;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        try {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        /**
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * Gets and processes the Single <code>LogoutResponse</code> from SP,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * destroys the local session, checks response's issuer
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * and inResponseTo.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         *
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * @param request the HttpServletRequest.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * @param response the HttpServletResponse.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * @param samlResponse <code>LogoutResponse</code> in the
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         *          XML string format.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * @param relayState the target URL on successful
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * <code>LogoutResponse</code>.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         * @throws SAML2Exception if error processing
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         *          <code>LogoutResponse</code>.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis         */
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            doRelayState = IDPSingleLogout.processLogoutResponse(
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                request, response,samlResponse, relayState);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        } catch (SAML2Exception sse) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            SAML2Utils.debug.error("Error processing LogoutResponse :",
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                sse);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                "LogoutResponseProcessingError",
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                SAML2Utils.bundle.getString("LogoutResponseProcessingError") +
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                " " + sse.getMessage());
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            return;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        } catch (Exception e) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            SAML2Utils.debug.error("Error processing LogoutResponse ",e);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                "LogoutResponseProcessingError",
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                SAML2Utils.bundle.getString("LogoutResponseProcessingError") +
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                " " + e.getMessage());
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            return;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        if (!doRelayState) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            if (relayState != null && SAML2Utils.isRelayStateURLValid(request, relayState, SAML2Constants.IDP_ROLE) &&
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                ESAPI.validator().isValidInput("HTTP URL Value: " + relayState, relayState, "URL", 2000, true)) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                if (relayState.indexOf("?") != -1) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    response.sendRedirect(relayState
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                        + "&logoutStatus=logoutSuccess");
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                } else {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    response.sendRedirect(relayState
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                        + "?logoutStatus=logoutSuccess");
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            } else {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                %>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                <jsp:forward page="/saml2/jsp/default.jsp?message=idpSloSuccess" />
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                <%
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    } else {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        String samlRequest = request.getParameter(SAML2Constants.SAML_REQUEST);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        if (samlRequest != null) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            try {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            /**
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * Gets and processes the Single <code>LogoutRequest</code> from SP.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             *
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * @param request the HttpServletRequest.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * @param response the HttpServletResponse.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * @param samlRequest <code>LogoutRequest</code> in the
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             *          XML string format.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * @param relayState the target URL on successful
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * <code>LogoutRequest</code>.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             * @throws SAML2Exception if error processing
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             *          <code>LogoutRequest</code>.
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis             */
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            IDPSingleLogout.processLogoutRequest(request,response,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                samlRequest,relayState);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            } catch (SAML2Exception sse) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                SAML2Utils.debug.error("Error processing LogoutRequest :", sse);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    "LogoutRequestProcessingError",
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    SAML2Utils.bundle.getString("LogoutRequestProcessingError")
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    + " " + sse.getMessage());
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                return;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            } catch (Exception e) {
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                SAML2Utils.debug.error("Error processing LogoutRequest ",e);
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    "LogoutRequestProcessingError",
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    SAML2Utils.bundle.getString("LogoutRequestProcessingError")
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                    + " " + e.getMessage());
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis                return;
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis            }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis        }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis    }
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis%>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis</body>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis</html>
25c28e83beb90e7c80452a7c818c5e6f73a07dc8Piotr Jasiukajtis