private boolean handleSAMLRequest(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
Set<SAML2Handler> handlers = chain.handlers();
try {
ServiceProviderSAMLRequestProcessor requestProcessor =
new ServiceProviderSAMLRequestProcessor(
request.getMethod().equals("POST"),
this.serviceURL,
this.picketLinkConfiguration,
this.idpMetadata);
requestProcessor.setTrustKeyManager(keyManager);
boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);
if (isEnableAudit()) {
PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
auditEvent.setType(PicketLinkAuditEventType.REQUEST_FROM_IDP);
auditEvent.setWhoIsAuditing(getContextPath());
auditHelper.audit(auditEvent);
}
// If response is already commited, we need to stop with processing of HTTP request
if (response.isCommitted()) {
return false;
}
if (result) {
return result;
}
} catch (Exception e) {
logger.samlSPHandleRequestError(e);
throw logger.samlSPProcessingExceptionError(e);
}
return localAuthentication(request, response);
}
protected void processConfiguration(FilterConfig filterConfig) {
InputStream is;
if (isNullOrEmpty(this.configFile)) {
is = servletContext.getResourceAsStream(CONFIG_FILE_LOCATION);
} else {
try {
is = new FileInputStream(this.configFile);
} catch (FileNotFoundException e) {
throw logger.samlIDPConfigurationError(e);
}
}
PicketLinkType picketLinkType;
String configurationProviderName = filterConfig.getInitParameter(CONFIGURATION_PROVIDER);
if (configurationProviderName != null) {
try {
Class<?> clazz = SecurityActions.loadClass(getClass(), configurationProviderName);
if (clazz == null) {
throw new ClassNotFoundException(ErrorCodes.CLASS_NOT_LOADED + configurationProviderName);
}
this.configProvider = (SAMLConfigurationProvider) clazz.newInstance();
} catch (Exception e) {
throw new RuntimeException(
"Could not create configuration provider [" + configurationProviderName + "].", e);
}
}
try {
// Work on the IDP Configuration
if (configProvider != null) {
try {
if (is == null) {
// Try the older version
is =
servletContext.getResourceAsStream(
GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION);
// Additionally parse the deprecated config file
if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) {
((AbstractSAMLConfigurationProvider) configProvider).setConfigFile(is);
}
} else {
// Additionally parse the consolidated config file
if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) {
((AbstractSAMLConfigurationProvider) configProvider).setConsolidatedConfigFile(is);
}
}
picketLinkType = configProvider.getPicketLinkConfiguration();
picketLinkType.setIdpOrSP(configProvider.getSPConfiguration());
} catch (ProcessingException e) {
throw logger.samlSPConfigurationError(e);
} catch (ParsingException e) {
throw logger.samlSPConfigurationError(e);
}
} else {
if (is != null) {
try {
picketLinkType = ConfigurationUtil.getConfiguration(is);
} catch (ParsingException e) {
logger.trace(e);
throw logger.samlSPConfigurationError(e);
}
} else {
is = servletContext.getResourceAsStream(GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION);
if (is == null) {
throw logger.configurationFileMissing(configFile);
}
picketLinkType = new PicketLinkType();
picketLinkType.setIdpOrSP(ConfigurationUtil.getSPConfiguration(is));
}
}
// Close the InputStream as we no longer need it
if (is != null) {
try {
is.close();
} catch (IOException e) {
// ignore
}
}
Boolean enableAudit = picketLinkType.isEnableAudit();
// See if we have the system property enabled
if (!enableAudit) {
String sysProp = SecurityActions.getSystemProperty(GeneralConstants.AUDIT_ENABLE, "NULL");
if (!"NULL".equals(sysProp)) {
enableAudit = Boolean.parseBoolean(sysProp);
}
}
if (enableAudit) {
if (auditHelper == null) {
String securityDomainName = PicketLinkAuditHelper.getSecurityDomainName(servletContext);
auditHelper = new PicketLinkAuditHelper(securityDomainName);
}
}
SPType spConfiguration = (SPType) picketLinkType.getIdpOrSP();
processIdPMetadata(spConfiguration);
this.serviceURL = spConfiguration.getServiceURL();
this.canonicalizationMethod = spConfiguration.getCanonicalizationMethod();
this.picketLinkConfiguration = picketLinkType;
this.issuerID = filterConfig.getInitParameter(ISSUER_ID);
this.characterEncoding = filterConfig.getInitParameter(CHARACTER_ENCODING);
this.samlHandlerChainClass = filterConfig.getInitParameter(SAML_HANDLER_CHAIN_CLASS);
logger.samlSPSettingCanonicalizationMethod(canonicalizationMethod);
XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod);
try {
this.initKeyProvider();
this.initializeHandlerChain(picketLinkType);
} catch (Exception e) {
throw new RuntimeException(e);
}
logger.trace("Identity Provider URL=" + getConfiguration().getIdentityURL());
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private boolean handleSAML2Response(HttpServletRequest request, HttpServletResponse response)
throws IOException {
HttpSession session = request.getSession(true);
String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
Set<SAML2Handler> handlers = chain.handlers();
Principal principal = request.getUserPrincipal();
boolean willSendRequest; // deal with SAML response from IDP
try {
ServiceProviderSAMLResponseProcessor responseProcessor =
new ServiceProviderSAMLResponseProcessor(
request.getMethod().equals("POST"),
serviceURL,
this.picketLinkConfiguration,
this.idpMetadata);
if (auditHelper != null) {
responseProcessor.setAuditHelper(auditHelper);
}
responseProcessor.setTrustKeyManager(keyManager);
SAML2HandlerResponse saml2HandlerResponse =
responseProcessor.process(samlResponse, httpContext, handlers, chainLock);
Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
String relayState = saml2HandlerResponse.getRelayState();
String destination = saml2HandlerResponse.getDestination();
willSendRequest = saml2HandlerResponse.getSendRequest();
String destinationQueryStringWithSignature =
saml2HandlerResponse.getDestinationQueryStringWithSignature();
if (destination != null && samlResponseDocument != null) {
sendRequestToIDP(
destination,
samlResponseDocument,
relayState,
request,
response,
willSendRequest,
destinationQueryStringWithSignature);
} else {
// See if the session has been invalidated
boolean sessionValidity = request.getUserPrincipal() != null;
if (!sessionValidity) {
sendToLogoutPage(request, response, session);
return false;
}
// We got a response with the principal
List<String> roles = saml2HandlerResponse.getRoles();
if (principal == null) {
principal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
}
if (principal == null) {
throw new RuntimeException(ErrorCodes.NULL_VALUE + " principal");
}
if (isEnableAudit()) {
PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
auditEvent.setType(PicketLinkAuditEventType.RESPONSE_FROM_IDP);
auditEvent.setSubjectName(principal.getName());
auditEvent.setWhoIsAuditing(getContextPath());
auditHelper.audit(auditEvent);
}
return true;
}
} catch (ProcessingException pe) {
Throwable t = pe.getCause();
if (t != null && t instanceof AssertionExpiredException) {
logger.error("Assertion has expired. Asking IDP for reissue");
if (isEnableAudit()) {
PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
auditEvent.setType(PicketLinkAuditEventType.EXPIRED_ASSERTION);
auditEvent.setAssertionID(((AssertionExpiredException) t).getId());
auditHelper.audit(auditEvent);
}
// Just issue a fresh request back to IDP
return generalUserRequest(request, response);
}
logger.samlSPHandleRequestError(pe);
throw logger.samlSPProcessingExceptionError(pe);
} catch (Exception e) {
logger.samlSPHandleRequestError(e);
throw logger.samlSPProcessingExceptionError(e);
}
return localAuthentication(request, response);
}
private boolean generalUserRequest(HttpServletRequest request, HttpServletResponse response)
throws IOException {
HttpSession session = request.getSession(true);
boolean willSendRequest = false;
HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
Set<SAML2Handler> handlers = chain.handlers();
boolean postBinding = getConfiguration().getBindingType().equals("POST");
// Neither saml request nor response from IDP
// So this is a user request
SAML2HandlerResponse saml2HandlerResponse = null;
try {
ServiceProviderBaseProcessor baseProcessor =
new ServiceProviderBaseProcessor(
postBinding, serviceURL, this.picketLinkConfiguration, this.idpMetadata);
if (issuerID != null) {
baseProcessor.setIssuer(issuerID);
}
// If the user has a different desired idp
String idp = (String) request.getAttribute(DESIRED_IDP);
if (StringUtil.isNotNull(idp)) {
baseProcessor.setIdentityURL(idp);
} else {
baseProcessor.setIdentityURL(getIdentityURL());
}
baseProcessor.setAuditHelper(auditHelper);
saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
} catch (ProcessingException pe) {
logger.samlSPHandleRequestError(pe);
throw new RuntimeException(pe);
} catch (ParsingException pe) {
logger.samlSPHandleRequestError(pe);
throw new RuntimeException(pe);
} catch (ConfigurationException pe) {
logger.samlSPHandleRequestError(pe);
throw new RuntimeException(pe);
}
willSendRequest = saml2HandlerResponse.getSendRequest();
Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
String relayState = saml2HandlerResponse.getRelayState();
String destination = saml2HandlerResponse.getDestination();
String destinationQueryStringWithSignature =
saml2HandlerResponse.getDestinationQueryStringWithSignature();
if (destination != null && samlResponseDocument != null) {
try {
if (isEnableAudit()) {
PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
auditEvent.setType(PicketLinkAuditEventType.REQUEST_TO_IDP);
auditEvent.setWhoIsAuditing(getContextPath());
auditHelper.audit(auditEvent);
}
sendRequestToIDP(
destination,
samlResponseDocument,
relayState,
request,
response,
willSendRequest,
destinationQueryStringWithSignature);
return false;
} catch (Exception e) {
logger.samlSPHandleRequestError(e);
throw logger.samlSPProcessingExceptionError(e);
}
}
return localAuthentication(request, response);
}
