spAssertionConsumer.jsp revision 0fdab8904a8fe223f6934b878769fe45e7651c60
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User The contents of this file are subject to the terms
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User of the Common Development and Distribution License
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews (the License). You may not use this file except in
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox User compliance with the License.
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews You can obtain a copy of the License at
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User https://opensso.dev.java.net/public/CDDLv1.0.html or
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews See the License for the specific language governing
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews permission and limitations under the License.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews When distributing Covered Code, include this CDDL
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews Header Notice in each file and include the License file
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews If applicable, add the following below the CDDL Header,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews with the fields enclosed by brackets [] replaced by
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews your own identifying information:
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews "Portions Copyrighted [year] [name of copyright owner]"
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User $Id: spAssertionConsumer.jsp,v 1.17 2010/01/23 00:07:06 exu Exp $
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Portions Copyrighted 2012-2013 ForgeRock AS
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrewsimport="com.sun.identity.shared.encode.URLEncDec,
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox Usercom.sun.identity.plugin.session.SessionManager,
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updatercom.sun.identity.plugin.session.SessionException,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<%@ page import="java.io.PrintWriter" %>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <title>SP Assertion Consumer Service</title>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater private String getLocalLoginUrl(
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews String orgName,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews String hostEntityId,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SAML2MetaManager metaManager,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews ResponseInfo respInfo,
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater String requestURL,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews String relayState)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews String localLoginUrl = SPACSUtils.prepareForLocalLogin(
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews orgName, hostEntityId, metaManager, respInfo, requestURL);
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews localLoginUrl += "?goto=";
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews localLoginUrl += "&goto=";
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews String gotoURL = requestURL + "?resID="
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews + URLEncDec.encode(respInfo.getResponse().getID());
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User if (relayState != null && relayState.length() != 0) {
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User gotoURL += "&RelayState=" + URLEncDec.encode(relayState);
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User localLoginUrl += URLEncDec.encode(gotoURL);
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User SAML2Utils.debug.message("spAssertionConsumer.jsp: local login "
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User + "url=" + localLoginUrl);
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User return localLoginUrl;
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User // check request, response, content length
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User if ((request == null) || (response == null)) {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User "nullInput", SAML2Utils.bundle.getString("nullInput"));
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User // to avoid dos attack
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews // or use SAML2Utils?
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews } catch (ServletException se) {
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews "largeContentLength", se.getMessage());
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews String requestURL = request.getRequestURL().toString();
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews // get entity id and orgName
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User if (metaManager == null) {
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User SAMLUtils.sendError(request, response,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews response.SC_INTERNAL_SERVER_ERROR, "errorMetaManager",
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User SAML2Utils.bundle.getString("errorMetaManager"));
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson String hostEntityId = null;
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews hostEntityId = metaManager.getEntityByMetaAlias(metaAlias);
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User } catch (SAML2MetaException sme) {
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews SAMLUtils.sendError(request, response,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews response.SC_INTERNAL_SERVER_ERROR, "metaDataError",
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews SAML2Utils.bundle.getString("metaDataError"));
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews if (hostEntityId == null) {
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User SAMLUtils.sendError(request, response,
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User response.SC_INTERNAL_SERVER_ERROR, "metaDataError",
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews SAML2Utils.bundle.getString("metaDataError"));
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews String orgName = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont if (orgName == null || orgName.length() == 0) {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews orgName = "/";
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews // federate flag
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews String federate = request.getParameter(SAML2Constants.FEDERATE);
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews SessionProvider sessionProvider = null;
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews ResponseInfo respInfo = null;
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews sessionProvider = SessionManager.getProvider();
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews } catch (SessionException se) {
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews SAMLUtils.sendError(request, response,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews response.SC_INTERNAL_SERVER_ERROR, "nullSessionProvider",
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews request, response, orgName, hostEntityId, metaManager);
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews } catch (SAML2Exception se) {
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User // Only do a sendError if one hasn't already been called.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User SAMLUtils.sendError(request, response,
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater response.SC_INTERNAL_SERVER_ERROR, "getResponseError",
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User String ecpRelayState = respInfo.getRelayState();
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews if ((ecpRelayState != null) && (ecpRelayState.length() > 0)) {
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User relayState = ecpRelayState;
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User Object token = null;
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User } catch (SessionException se) {
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater "spAssertionConsumer.jsp: Token is null." +
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User token = null;
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User if (federate != null && federate.trim().equals("true") &&
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson token == null) {
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SAML2Utils.debug.message("spAssertionConsumer.jsp: federate "
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User + "is true, and token is null. do local login first.");
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User FSUtils.forwardRequest(request, response, getLocalLoginUrl(
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater orgName, hostEntityId, metaManager, respInfo,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User requestURL, relayState));
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Object newSession = null;
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User request, response, new PrintWriter(out, true), metaAlias, token, respInfo,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews orgName, hostEntityId, metaManager);
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User } catch (SAML2Exception se) {
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SAML2Utils.debug.error("spAssertionConsumer.jsp: SSO failed.", se);
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User String[] data = {hostEntityId,se.getMessage(),""};
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson if (LogUtil.isErrorLoggable(Level.FINE)) {
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User data[2] = respInfo.getResponse().toXMLString(true, true);
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews // response had been redirected already.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User if (se.getMessage().equals(SAML2Utils.bundle.getString("noUserMapping"))) {
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews SAML2Utils.debug.message("spAssertionConsumer.jsp:need "
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews + " local login!!");
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User FSUtils.forwardRequest(request, response, getLocalLoginUrl(
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User orgName, hostEntityId, metaManager, respInfo,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User requestURL, relayState));
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User SAMLUtils.sendError(request, response,
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater response.SC_INTERNAL_SERVER_ERROR, "SSOFailed",
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater SAML2Utils.bundle.getString("SSOFailed"));
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User if (newSession == null) {
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews SAML2Utils.debug.message("Session is null.");
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews SAML2Utils.debug.message("spAssertionConsumer.jsp:Login has "
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews + "failed!!");
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater SAMLUtils.sendError(request, response,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater response.SC_INTERNAL_SERVER_ERROR, "SSOFailed",
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater SAML2Utils.bundle.getString("SSOFailed"));
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater String[] redirected = sessionProvider.getProperty(newSession,
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User if ((redirected != null) && (redirected.length != 0) &&
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User redirected[0].equals("true")) {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater SAML2Utils.debug.message("Redirection already done in SPAdapter.");
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater // response redirected already in SPAdapter
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater Response saml2Resp = respInfo.getResponse();
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater String requestID = saml2Resp.getInResponseTo();
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater boolean isProxyOn = IDPProxyUtil.isIDPProxyEnabled(requestID);
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater if (isProxyOn) {
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews IDPProxyUtil.generateProxyResponse(request, response, new PrintWriter(out, true), metaAlias,
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User respInfo,newSession);
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User } catch (SAML2Exception se) {
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User SAML2Utils.debug.message("Failed sending proxy response");
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User // redirect to relay state
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User String finalUrl = SPACSUtils.getRelayState(
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater relayState, orgName, hostEntityId, metaManager);
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews String realFinalUrl = finalUrl;
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User if (finalUrl != null && finalUrl.length() != 0) {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater realFinalUrl =
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User sessionProvider.rewriteURL(newSession, finalUrl);
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews } catch (SessionException se) {
bf5e2127e92e52cbf661e77dd6a76e5aef43542fTinderbox User "spAssertionConsumer.jsp: URL rewriting failed.", se);
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews realFinalUrl = finalUrl;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater String redirectUrl = SPACSUtils.getIntermediateURL(
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User orgName, hostEntityId, metaManager);
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User String realRedirectUrl = null;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater if (redirectUrl != null && redirectUrl.length() != 0) {
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews if (realFinalUrl != null && realFinalUrl.length() != 0) {
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews if (redirectUrl.indexOf("?") != -1) {
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User redirectUrl += "&goto=";
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User redirectUrl += "?goto=";
6025cbbe8408f4b09d53d5ec1e95cb6da97e0a8dTinderbox User redirectUrl += URLEncDec.encode(realFinalUrl);
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User realRedirectUrl = sessionProvider.rewriteURL(
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater newSession, redirectUrl);
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater } catch (SessionException se) {
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson "spAssertionConsumer.jsp: URL rewriting failed.", se);
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews realRedirectUrl = redirectUrl;
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews realRedirectUrl = redirectUrl;
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User realRedirectUrl = finalUrl;
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User if (realRedirectUrl == null || (realRedirectUrl.trim().length() == 0)) {
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews if (isProxyOn) {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <jsp:forward page="/saml2/jsp/default.jsp?message=ssoSuccess" />
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SAML2Utils.validateRelayStateURL(orgName, hostEntityId,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews realRedirectUrl,
7ac34650fa344f42211d6da744ae486b0145a083Tinderbox User } catch (SAML2Exception se) {
7ac34650fa344f42211d6da744ae486b0145a083Tinderbox User SAMLUtils.sendError(request, response,
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews response.SC_BAD_REQUEST, "requestProcessingError",
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews SAML2Utils.bundle.getString("requestProcessingError") + " " +
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews response.sendRedirect(realRedirectUrl);