Ejemplo n.º 1
0
  /**
   * @param xacmlQuery XACML Query
   * @param realm the entity's realm.
   * @param pepEntityID entity identifier of PEP.
   * @param pdpEntityID entity identifier of PDP.
   * @throws <code>SAML2Exception</code> if error in verifying the signature.
   */
  private static void signAttributeQuery(
      XACMLAuthzDecisionQuery xacmlQuery, String realm, String pepEntityID, boolean includeCert)
      throws SAML2Exception {

    KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
    XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);

    String alias = getAttributeValueFromPEPConfig(pepConfig, "signingCertAlias");

    PrivateKey signingKey = keyProvider.getPrivateKey(alias);
    if (signingKey == null) {
      throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }

    X509Certificate signingCert = null;
    if (includeCert) {
      signingCert = keyProvider.getX509Certificate(alias);
    }

    if (signingKey != null) {
      xacmlQuery.sign(signingKey, signingCert);
    }
  }
Ejemplo n.º 2
0
  /**
   * Returns SAMLv2 <code>Response</code>. SAMLv2 request is sent enclosed in the body of a SOAP
   * Message to a SOAP endpoint. Prior to sending the request query, attributes required for
   * completeness of the SAMLv2 Request will be set (eg. Issuer) if not already set. Message will be
   * signed if signing is enabled. SAMLv2 Query Request will be enclosed in the SOAP Body to create
   * a SOAP message to send to the server.
   *
   * @param request the SAMLv2 <code>RequestAbstract</code> object.
   * @param pepEntityID entity identifier of the hosted query requester.
   * @param pdpEntityID entity identifier of the remote server.
   * @return SAMLv2 <code>Response</code> received from the Query Responder.
   * @throws SAML2Exception if there is an error processing the query.
   */
  public static Response processXACMLQuery(
      RequestAbstract request, String pepEntityID, String pdpEntityID) throws SAML2Exception {
    String classMethod = "QueryClient:processXACMLQuery";
    String realm = "/";
    Response samlResponse = null;
    Response response = null;
    // retreive pepEntityID metadata
    if (pepEntityID == null || pepEntityID.length() == 0) {
      debug.error(classMethod + "PEP Identifier is null");
      String[] data = {pepEntityID};
      LogUtil.error(Level.INFO, LogUtil.INVALID_PEP_ID, data);
      throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPEP"));
    }
    // retreive pdpEntityID metadata
    if (pdpEntityID == null || pdpEntityID.length() == 0) {
      debug.error(classMethod + "PDP Identifier is null");
      String[] data = {pdpEntityID};
      LogUtil.error(Level.INFO, LogUtil.INVALID_PDP_ID, data);
      throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPDP"));
    }

    if (request != null) {
      // set properties in the request.
      XACMLAuthzDecisionQuery xacmlQuery = (XACMLAuthzDecisionQuery) request;
      if (xacmlQuery != null) {
        // set Issuer
        Issuer issuer = createIssuer(pepEntityID);
        xacmlQuery.setIssuer(issuer);
        // generate ID
        String requestID = SAML2SDKUtils.generateID();
        xacmlQuery.setID(requestID);
        xacmlQuery.setVersion(SAML2Constants.VERSION_2_0);
        xacmlQuery.setIssueInstant(new Date());

        XACMLPDPConfigElement pdpConfig = getPDPConfig(realm, pdpEntityID);
        if (pdpConfig != null) {
          String wantQuerySigned =
              getAttributeValueFromPDPConfig(pdpConfig, "wantXACMLAuthzDecisionQuerySigned");
          if (wantQuerySigned != null && wantQuerySigned.equals("true")) {
            signAttributeQuery(xacmlQuery, realm, pepEntityID, false);
          }
        }

        String xmlString = xacmlQuery.toXMLString(true, true);
        if (debug.messageEnabled()) {
          debug.message(classMethod + "XACML Query XML String :" + xmlString);
        }
        // retrieve endpoint from meta data
        String endPoint = null;
        XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);
        endPoint = getPDPEndPoint(pdpEntityID);
        if (debug.messageEnabled()) {
          debug.message(classMethod + " ResponseLocation is :" + endPoint);
        }
        // create SOAP message
        try {
          String soapMessage = SAML2SDKUtils.createSOAPMessageString(xmlString);

          endPoint = SAML2SDKUtils.fillInBasicAuthInfo(pepConfig, endPoint);
          String[] urls = {endPoint};
          SOAPClient soapClient = new SOAPClient(urls);
          if (debug.messageEnabled()) {
            debug.message(classMethod + "soapMessage :" + soapMessage);
          }
          InputStream soapIn = soapClient.call(soapMessage, null, null);
          StringBuffer reply = new StringBuffer();
          String line;
          BufferedReader reader = new BufferedReader(new InputStreamReader(soapIn, "UTF-8"));
          while ((line = reader.readLine()) != null) {
            reply.append(line).append("\n");
          }
          // check the SOAP message for any SOAP related errors
          // before passing control to SAML processor
          xmlString = reply.toString();
          if (debug.messageEnabled()) {
            debug.message("Response Message:\n" + xmlString);
          }

          samlResponse = getSAMLResponse(xmlString);

          issuer = samlResponse.getIssuer();
          String issuerID = null;
          if (issuer != null) {
            issuerID = issuer.getValue().trim();
          }
          boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);

          if (!isTrusted) {
            if (debug.messageEnabled()) {
              debug.message(classMethod + "Issuer in Request is not valid.");
            }
            String[] args = {realm, pepEntityID, pdpEntityID};

            LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
            throw new SAML2Exception("invalidIssuerInRequest");
          }
          if (samlResponse != null) {
            xmlString = samlResponse.toXMLString(true, true);
            if (debug.messageEnabled()) {
              debug.message(classMethod + "Response: " + xmlString);
            }
            response = verifyResponse(realm, pepEntityID, samlResponse);
            if (debug.messageEnabled()) {
              debug.message(
                  classMethod
                      + "Response with decrypted Assertion: "
                      + response.toXMLString(true, true));
            }
          }

        } catch (SOAPException soae) {
          if (debug.messageEnabled()) {
            debug.message(classMethod + "SOAPException :", soae);
          }
          throw new SAML2Exception(soae.getMessage());
        } catch (Exception e) {
          if (debug.messageEnabled()) {
            debug.message(classMethod + "Exception ", e);
          }
          throw new SAML2Exception(e.getMessage());
        }
      }
    }
    return response;
  }