spSingleLogoutInit.jsp revision ea968a2519a7cf9282263e27b81ad7eb6706ef3a
2N/A<%--
2N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
2N/A
2N/A Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
2N/A
2N/A The contents of this file are subject to the terms
2N/A of the Common Development and Distribution License
2N/A (the License). You may not use this file except in
2N/A compliance with the License.
2N/A
2N/A You can obtain a copy of the License at
2N/A https://opensso.dev.java.net/public/CDDLv1.0.html or
2N/A opensso/legal/CDDLv1.0.txt
2N/A See the License for the specific language governing
2N/A permission and limitations under the License.
2N/A
2N/A When distributing Covered Code, include this CDDL
2N/A Header Notice in each file and include the License file
2N/A at opensso/legal/CDDLv1.0.txt.
2N/A If applicable, add the following below the CDDL Header,
2N/A with the fields enclosed by brackets [] replaced by
2N/A your own identifying information:
2N/A "Portions Copyrighted [year] [name of copyright owner]"
2N/A
2N/A $Id: spSingleLogoutInit.jsp,v 1.13 2009/10/15 00:01:11 exu Exp $
2N/A
2N/A Portions Copyrighted 2012-2015 ForgeRock AS.
2N/A--%>
2N/A
2N/A<%@ page import="com.sun.identity.plugin.session.SessionManager" %>
2N/A<%@ page import="com.sun.identity.plugin.session.SessionException" %>
2N/A<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
2N/A<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
2N/A<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
2N/A<%@ page import="com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement" %>
2N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
2N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
2N/A<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
2N/A<%@ page import="com.sun.identity.saml2.profile.LogoutUtil" %>
2N/A<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
2N/A<%@ page import="com.sun.identity.saml2.profile.SPSingleLogout" %>
2N/A<%@ page import="java.util.HashMap" %>
2N/A<%@ page import="java.util.List" %>
2N/A<%@ page import="org.owasp.esapi.ESAPI" %>
2N/A<%@ page import="java.io.PrintWriter" %>
2N/A
2N/A<%--
2N/A spSingleLogoutInit.jsp
2N/A - initiates the LogoutRequest at the Service Provider.
2N/A
2N/A Required parameters to this jsp are :
2N/A "binding" - binding used for this request
"NameIDValue" - NameID value for the user. Required in fedlet case.
"SessionIndex" - Session that has this sessionIndex is to be single logout.
Required in fedlet case.
"idpEntityID" - Identifier for identity provider. Required for fedlet case.
If binding is not set, this parameter is used to find the
default binding.
Some of the other optional parameters are :
"RelayState" - the target URL on successful Single Logout
"goto" - the target URL on successful Single Logout.
"RelayState" takes precedence to "goto" parameter.
"Destination" - A URI Reference indicating the address to
which the request has been sent.
"Consent" - Specifies a URI a SAML defined identifier
known as Consent Identifiers.
"Extension" - Specifies a list of Extensions as list of
String objects.
"spEntityID" - Fedlet's entity ID. Used in fedlet case. When it is missing,
first sp from metadata is used.
Check the SAML2 Documentation for supported parameters.
--%>
<%
// Retrieves the Request Query Parameters
// Binding are the required query parameters
// binding - binding used for this request
try {
String RelayState = request.getParameter(SAML2Constants.RELAY_STATE);
if (RelayState == null || RelayState.isEmpty()) {
RelayState = request.getParameter(SAML2Constants.GOTO);
}
if (!ESAPI.validator().isValidInput("RelayState", RelayState, "HTTPQueryString", 2000, true)) {
RelayState = null;
}
String metaAlias = null;
Object ssoToken = null;
try {
ssoToken = SessionManager.getProvider().getSession(request);
} catch (SessionException se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("No session.");
}
ssoToken = null;
}
String spEntityID = null;
SAML2MetaManager manager = new SAML2MetaManager();
if (!SPCache.isFedlet) {
if (ssoToken == null) {
//There is no local session, so we can't perform the logout on the IdP,
//let's just return with HTTP 200
if (RelayState != null && !RelayState.isEmpty()
&& SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
&& ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
} else {
%>
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
<%
}
return;
}
String[] values = SessionManager.getProvider().
getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
if (values != null && values.length > 0) {
metaAlias = values[0];
}
} else {
spEntityID = request.getParameter("spEntityID");
if ((spEntityID == null) || (spEntityID.length() == 0)) {
List spMetaAliases =
manager.getAllHostedServiceProviderMetaAliases("/");
if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
// get first one
metaAlias = (String) spMetaAliases.get(0);
}
} else {
SPSSOConfigElement spConfig =
manager.getSPSSOConfig("/", spEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
}
if (metaAlias == null) {
try {
SessionManager.getProvider().invalidateSession(
ssoToken, request, response);
} catch (SessionException se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("No session.");
}
}
if (RelayState != null && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
&& ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
} else {
%>
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
<%
}
return;
}
String idpEntityID = request.getParameter("idpEntityID");
String binding = LogoutUtil.getSLOBindingInfo(request, metaAlias,
SAML2Constants.SP_ROLE, idpEntityID);
if (spEntityID == null) {
spEntityID = manager.getEntityByMetaAlias(metaAlias);
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
/**
* Parses the request parameters and builds the Logout
* Request to be sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias metaAlias of Service Provider. The format of
* this parameter is /realm_name/SP_name.
* @param binding binding used for this request.
* @param paramsMap Map of all other parameters.
* Following parameters names with their respective
* String values are allowed in this paramsMap.
* "RelayState" - the target URL on successful Single Logout
* "Destination" - A URI Reference indicating the address to
* which the request has been sent.
* "Consent" - Specifies a URI a SAML defined identifier
* known as Consent Identifiers.
* "Extension" - Specifies a list of Extensions as list of
* String objects.
* @throws SAML2Exception if error initiating request to IDP.
*/
HashMap paramsMap = new HashMap();
if (SPCache.isFedlet) {
String sessionIndex = request.getParameter("SessionIndex");
if ((sessionIndex == null) || (sessionIndex.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"nullSessionIndex",
SAML2Utils.bundle.getString("nullSessionIndex"));
return;
} else {
paramsMap.put("SessionIndex", sessionIndex);
}
String nameID = request.getParameter("NameIDValue");
if ((nameID == null) || (nameID.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"nullNameID",
SAML2Utils.bundle.getString("nullNameID"));
return;
} else {
if (spEntityID == null) {
if (manager == null) {
manager = new SAML2MetaManager();
}
spEntityID = manager.getEntityByMetaAlias(metaAlias);
}
if (idpEntityID == null) {
SAMLUtils.sendError(request, response,
response.SC_BAD_REQUEST,
"nullIDPEntityID",
SAML2Utils.bundle.getString("nullIDPEntityID"));
return;
}
paramsMap.put(
"infoKey", spEntityID+ "|" + idpEntityID + "|" + nameID);
}
}
paramsMap.put("metaAlias", metaAlias);
paramsMap.put("idpEntityID", idpEntityID);
paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
paramsMap.put(SAML2Constants.BINDING, binding);
paramsMap.put("Destination", request.getParameter("Destination"));
paramsMap.put("Consent", request.getParameter("Consent"));
paramsMap.put("Extension", request.getParameter("Extension"));
if (RelayState == null || RelayState.isEmpty()) {
RelayState = SAML2Utils.getAttributeValueFromSSOConfig(
realm, spEntityID, SAML2Constants.SP_ROLE,
SAML2Constants.DEFAULT_RELAY_STATE);
}
if (RelayState != null) {
paramsMap.put(SAML2Constants.RELAY_STATE, RelayState);
}
SPSingleLogout.initiateLogoutRequest(request,response, new PrintWriter(out, true), binding, paramsMap);
if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
if (RelayState != null && !RelayState.isEmpty()
&& SAML2Utils.isRelayStateURLValid(metaAlias, RelayState, SAML2Constants.SP_ROLE)
&& ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
} else {
%>
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
<%
}
}
} catch (SAML2Exception sse) {
SAML2Utils.debug.error("Error sending Logout Request " , sse);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"LogoutRequestCreationError",
SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
sse.getMessage());
return;
} catch (Exception e) {
SAML2Utils.debug.error("Error initializing Request ",e);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
"LogoutRequestCreationError",
SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
e.getMessage());
return;
}
%>