219N/A<%--

219N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.

219N/A

219N/A Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved

219N/A

219N/A The contents of this file are subject to the terms

219N/A of the Common Development and Distribution License

219N/A (the License). You may not use this file except in

219N/A compliance with the License.

219N/A

219N/A You can obtain a copy of the License at

219N/A https://opensso.dev.java.net/public/CDDLv1.0.html or

219N/A opensso/legal/CDDLv1.0.txt

219N/A See the License for the specific language governing

219N/A permission and limitations under the License.

219N/A

219N/A When distributing Covered Code, include this CDDL

219N/A Header Notice in each file and include the License file

219N/A at opensso/legal/CDDLv1.0.txt.

219N/A If applicable, add the following below the CDDL Header,

219N/A with the fields enclosed by brackets [] replaced by

3817N/A your own identifying information:

219N/A "Portions Copyrighted [year] [name of copyright owner]"

219N/A

219N/A $Id: spAssertionConsumer.jsp,v 1.17 2010/01/23 00:07:06 exu Exp $

219N/A

219N/A Portions Copyrighted 2012-2016 ForgeRock AS.

219N/A--%>

219N/A

219N/A<%@page

618N/Aimport="com.sun.identity.shared.encode.URLEncDec,

219N/Acom.sun.identity.federation.common.FSUtils,

219N/Acom.sun.identity.saml.common.SAMLUtils,

844N/Acom.sun.identity.saml2.common.SAML2Constants,

844N/Acom.sun.identity.saml2.common.SAML2Exception,

618N/Acom.sun.identity.saml2.common.SAML2Utils,

1258N/Acom.sun.identity.saml2.logging.LogUtil,

219N/Acom.sun.identity.saml2.meta.SAML2MetaException,

2899N/Acom.sun.identity.saml2.meta.SAML2MetaManager,

2899N/Acom.sun.identity.saml2.meta.SAML2MetaUtils,

3817N/Acom.sun.identity.saml2.profile.ResponseInfo,

3817N/Acom.sun.identity.saml2.profile.SPACSUtils,

3817N/Acom.sun.identity.saml2.profile.IDPProxyUtil,

3817N/Acom.sun.identity.saml2.protocol.Response,

219N/Acom.sun.identity.plugin.session.SessionManager,

814N/Acom.sun.identity.plugin.session.SessionProvider,

219N/Acom.sun.identity.plugin.session.SessionException,

219N/Ajava.util.logging.Level,

219N/Aorg.forgerock.guice.core.InjectorHolder,

219N/Aorg.forgerock.openam.audit.AuditEventPublisher,

219N/Aorg.forgerock.openam.saml2.audit.SAML2Auditor,

219N/Aorg.forgerock.openam.audit.AuditEventFactory,

219N/A"

219N/A%>

219N/A

219N/A<html>

219N/A<head>

219N/A <title>SP Assertion Consumer Service</title>

219N/A</head>

219N/A

219N/A<%!

219N/A private String getLocalLoginUrl(

219N/A String orgName,

219N/A String hostEntityId,

219N/A SAML2MetaManager metaManager,

219N/A ResponseInfo respInfo,

219N/A String requestURL,

219N/A String relayState)

219N/A {

219N/A String localLoginUrl = SPACSUtils.prepareForLocalLogin(

219N/A orgName, hostEntityId, metaManager, respInfo, requestURL);

219N/A if (localLoginUrl.indexOf("?") == -1) {

219N/A localLoginUrl += "?goto=";

219N/A } else {

219N/A localLoginUrl += "&goto=";

219N/A }

219N/A String gotoURL = requestURL + "?resID="

219N/A + URLEncDec.encode(respInfo.getResponse().getID());

219N/A if (relayState != null && relayState.length() != 0) {

219N/A gotoURL += "&RelayState=" + URLEncDec.encode(relayState);

219N/A }

219N/A localLoginUrl += URLEncDec.encode(gotoURL);

219N/A if (SAML2Utils.debug.messageEnabled()) {

219N/A SAML2Utils.debug.message("spAssertionConsumer.jsp: local login "

219N/A + "url=" + localLoginUrl);

219N/A }

219N/A return localLoginUrl;

219N/A }

219N/A%>

219N/A

219N/A<body>

219N/A<%

219N/A // set up audit logger and attach initial information

219N/A AuditEventPublisher aep = InjectorHolder.getInstance(AuditEventPublisher.class);

219N/A AuditEventFactory aef = InjectorHolder.getInstance(AuditEventFactory.class);

219N/A SAML2Auditor saml2Auditor = new SAML2Auditor(aep, aef, request);

219N/A saml2Auditor.setMethod("spAssertionConsumer");

219N/A saml2Auditor.setSessionTrackingId(session.getId());

219N/A saml2Auditor.auditAccessAttempt();

219N/A

219N/A // check request, response, content length

219N/A if ((request == null) || (response == null)) {

219N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,

219N/A "nullInput", SAML2Utils.bundle.getString("nullInput"));

219N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),

219N/A SAML2Utils.bundle.getString("nullInput"));

219N/A return;

219N/A }

219N/A // to avoid dos attack

219N/A // or use SAML2Utils?

219N/A try {

219N/A SAMLUtils.checkHTTPContentLength(request);

219N/A } catch (ServletException se) {

219N/A SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,

219N/A "largeContentLength", se.getMessage());

219N/A saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),

219N/A se.getMessage());

219N/A return;

219N/A }

219N/A

219N/A if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {

219N/A saml2Auditor.auditForwardToProxy();

219N/A return;

219N/A }

1938N/A

1938N/A String requestURL = request.getRequestURL().toString();

219N/A // get entity id and realm

3477N/A String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);

3477N/A String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);

219N/A if (realm == null || realm.length() == 0) {

219N/A realm = "/";

219N/A }

219N/A saml2Auditor.setRealm(realm);

219N/A

219N/A SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();

219N/A if (metaManager == null) {

3817N/A // logging?

3817N/A SAMLUtils.sendError(request, response,

response.SC_INTERNAL_SERVER_ERROR, "errorMetaManager",

SAML2Utils.bundle.getString("errorMetaManager"));

saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),

SAML2Utils.bundle.getString("errorMetaManager"));

return;

}

String hostEntityId = null;

try {

hostEntityId = metaManager.getEntityByMetaAlias(metaAlias);

} catch (SAML2MetaException sme) {

// logging?

SAMLUtils.sendError(request, response,

response.SC_INTERNAL_SERVER_ERROR, "metaDataError",

SAML2Utils.bundle.getString("metaDataError"));

saml2Auditor.auditAccessFailure(String.valueOf(response.SC_INTERNAL_SERVER_ERROR),

SAML2Utils.bundle.getString("metaDataError"));

return;

}

if (hostEntityId == null) {

// logging?

SAMLUtils.sendError(request, response,

response.SC_INTERNAL_SERVER_ERROR, "metaDataError",

SAML2Utils.bundle.getString("metaDataError"));

saml2Auditor.auditAccessFailure(String.valueOf(response.SC_INTERNAL_SERVER_ERROR),

SAML2Utils.bundle.getString("metaDataError"));

return;

}

String relayState = request.getParameter(SAML2Constants.RELAY_STATE);

// federate flag

String federate = request.getParameter(SAML2Constants.FEDERATE);

SessionProvider sessionProvider = null;

ResponseInfo respInfo = null;

try {

sessionProvider = SessionManager.getProvider();

} catch (SessionException se) {

SAMLUtils.sendError(request, response,

response.SC_INTERNAL_SERVER_ERROR, "nullSessionProvider",

se.getMessage());

saml2Auditor.auditAccessFailure(se.getErrorCode(), se.getLocalizedMessage());

return;

}

try {

respInfo = SPACSUtils.getResponse(

request, response, realm, hostEntityId, metaManager);

saml2Auditor.setRequestId(respInfo.getResponse().getInResponseTo());

} catch (SAML2Exception se) {

// Only do a sendError if one hasn't already been called.

if (!response.isCommitted()) {

SAMLUtils.sendError(request, response,

response.SC_INTERNAL_SERVER_ERROR, "getResponseError",

se.getMessage());

}

saml2Auditor.auditAccessFailure(se.getErrorCode(), se.getLocalizedMessage());

return;

}

String ecpRelayState = respInfo.getRelayState();

if ((ecpRelayState != null) && (ecpRelayState.length() > 0)) {

relayState = ecpRelayState;

}

Object token = null;

try {

token = sessionProvider.getSession(request);

saml2Auditor.setAuthTokenId(token);

} catch (SessionException se) {

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message(

"spAssertionConsumer.jsp: Token is null." +

se.getMessage());

}

token = null;

}

if (federate != null && federate.trim().equals("true") &&

token == null) {

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message("spAssertionConsumer.jsp: federate "

+ "is true, and token is null. do local login first.");

}

FSUtils.forwardRequest(request, response,

getLocalLoginUrl(realm, hostEntityId, metaManager, respInfo, requestURL, relayState));

saml2Auditor.auditForwardToLocalUserLogin();

return;

}

Object newSession = null;

Response saml2Resp = respInfo.getResponse();

String requestID = saml2Resp.getInResponseTo();

boolean isProxyOn = IDPProxyUtil.isIDPProxyEnabled(requestID);

try {

newSession = SPACSUtils.processResponse( request, response, new PrintWriter(out, true), metaAlias, token,

respInfo, realm, hostEntityId, metaManager, saml2Auditor);

saml2Auditor.setUserId(sessionProvider.getPrincipalName(newSession));

saml2Auditor.setSSOTokenId(newSession);

} catch (SAML2Exception se) {

SAML2Utils.debug.error("spAssertionConsumer.jsp: SSO failed.", se);

String[] data = {hostEntityId, se.getMessage(), ""};

if (LogUtil.isErrorLoggable(Level.FINE)) {

data[2] = saml2Resp.toXMLString(true, true);

}

LogUtil.error(Level.INFO, LogUtil.SP_SSO_FAILED, data, null);

if (se.isRedirectionDone()) {

saml2Auditor.auditAccessSuccess();

return;

}

if (isProxyOn) {

if ("noPassiveResponse".equals(se.getErrorCode())) {

try {

IDPProxyUtil.sendNoPassiveProxyResponse(request, response, new PrintWriter(out, true),

requestID, metaAlias, hostEntityId, realm);

} catch (SAML2Exception samle) {

SAML2Utils.debug.error("Failed to send nopassive proxy response", samle);

}

return;

}

}

if (se.getMessage().equals(SAML2Utils.bundle.getString("noUserMapping"))) {

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message("spAssertionConsumer.jsp:need local login!!");

}

FSUtils.forwardRequest(request, response,

getLocalLoginUrl(realm, hostEntityId, metaManager, respInfo, requestURL, relayState));

saml2Auditor.auditForwardToLocalUserLogin();

return;

}

SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "SSOFailed",

SAML2Utils.bundle.getString("SSOFailed"));

saml2Auditor.auditAccessFailure(String.valueOf(response.SC_INTERNAL_SERVER_ERROR),

SAML2Utils.bundle.getString("SSOFailed"));

return;

}

if (newSession == null) {

if (SAML2Utils.debug.messageEnabled()) {

SAML2Utils.debug.message("Session is null.");

SAML2Utils.debug.message("spAssertionConsumer.jsp:Login has failed!!");

}

SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "SSOFailed",

SAML2Utils.bundle.getString("SSOFailed"));

saml2Auditor.auditAccessFailure(String.valueOf(

response.SC_INTERNAL_SERVER_ERROR), SAML2Utils.bundle.getString("SSOFailed"));

return;

}

SAML2Utils.debug.message("SSO SUCCESS");

String[] redirected = sessionProvider.getProperty(newSession,

SAML2Constants.RESPONSE_REDIRECTED);

if ((redirected != null) && (redirected.length != 0) &&

redirected[0].equals("true")) {

SAML2Utils.debug.message("Redirection already done in SPAdapter.");

// response redirected already in SPAdapter

saml2Auditor.auditForwardToProxy();

return;

}

if (isProxyOn) {

try {

IDPProxyUtil.generateProxyResponse(request, response, new PrintWriter(out, true), metaAlias, respInfo,

newSession);

saml2Auditor.auditForwardToProxy();

} catch (SAML2Exception se) {

SAML2Utils.debug.error("Failed sending proxy response", se);

saml2Auditor.auditAccessFailure(se.getErrorCode(), se.getLocalizedMessage());

}

return;

}

// redirect to relay state

String finalUrl = SPACSUtils.getRelayState(relayState, realm, hostEntityId, metaManager);

String realFinalUrl = finalUrl;

if (finalUrl != null && finalUrl.length() != 0) {

try {

realFinalUrl = sessionProvider.rewriteURL(newSession, finalUrl);

} catch (SessionException se) {

SAML2Utils.debug.message(

"spAssertionConsumer.jsp: URL rewriting failed.", se);

realFinalUrl = finalUrl;

}

}

String redirectUrl = SPACSUtils.getIntermediateURL(realm, hostEntityId, metaManager);

String realRedirectUrl = null;

if (redirectUrl != null && redirectUrl.length() != 0) {

if (realFinalUrl != null && realFinalUrl.length() != 0) {

if (redirectUrl.indexOf("?") != -1) {

redirectUrl += "&goto=";

} else {

redirectUrl += "?goto=";

}

redirectUrl += URLEncDec.encode(realFinalUrl);

try {

realRedirectUrl = sessionProvider.rewriteURL(newSession, redirectUrl);

} catch (SessionException se) {

SAML2Utils.debug.message("spAssertionConsumer.jsp: URL rewriting failed.", se);

realRedirectUrl = redirectUrl;

}

} else {

realRedirectUrl = redirectUrl;

}

} else {

realRedirectUrl = finalUrl;

}

if (realRedirectUrl == null || (realRedirectUrl.trim().length() == 0)) {

if (isProxyOn) {

saml2Auditor.auditForwardToProxy();

return;

} else {

saml2Auditor.auditAccessSuccess();

%>

<jsp:forward page="/saml2/jsp/default.jsp?message=ssoSuccess" />

<%

}

} else {

// log it

try {

SAML2Utils.validateRelayStateURL(realm, hostEntityId, realRedirectUrl, SAML2Constants.SP_ROLE);

} catch (SAML2Exception se) {

SAMLUtils.sendError(request, response,

response.SC_BAD_REQUEST, "requestProcessingError",

SAML2Utils.bundle.getString("requestProcessingError") + " " + se.getMessage());

saml2Auditor.auditAccessFailure(se.getErrorCode(), se.getLocalizedMessage());

return;

}

saml2Auditor.auditAccessSuccess();

response.sendRedirect(realRedirectUrl);

}

%>

</body>

</html>