@Override
public Object toJson(String value) {
try {
return Base64.encode(value.getBytes("UTF-8"));
} catch (UnsupportedEncodingException e) {
throw new IllegalStateException("Script encoding failed", e);
}
}
/**
* Gets a random string
*
* @return random string
*/
private static String getRandomString() {
StringBuilder sb = new StringBuilder(30);
byte[] keyRandom = new byte[5];
random.nextBytes(keyRandom);
sb.append(System.currentTimeMillis());
sb.append(Base64.encode(keyRandom));
return (sb.toString());
}
/**
* Returns Hex encoded source ID based on the input Base64 source ID. <br>
* Usage: java com.sun.identity.saml.common.Base64ToHex <Base64_encoded_id><br>
* This method will print out Hex encoded source ID to the standard output.
*
* @param args Hex encoded source ID.
*/
public static void main(String args[]) throws Exception {
if (args.length != 1) {
System.out.println("Usage: java Base64ToHex <Base64_encoded_id>");
return;
}
String inputString = args[0];
Base64 decoder = new Base64();
byte[] byteArray = decoder.decode(inputString);
int readBytes = byteArray.length;
StringBuffer hexData = new StringBuffer();
int onebyte;
for (int i = 0; i < readBytes; i++) {
onebyte = ((0x000000ff & byteArray[i]) | 0xffffff00);
hexData.append(Integer.toHexString(onebyte).substring(6));
}
System.out.println(hexData.toString());
}
public static String buildX509Certificate(String certAlias) throws SAML2MetaException {
if ((certAlias == null) || (certAlias.trim().length() == 0)) {
return null;
}
X509Certificate cert = KeyUtil.getKeyProviderInstance().getX509Certificate(certAlias);
if (cert != null) {
try {
return Base64.encode(cert.getEncoded(), true);
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("SAML2MetaSecurityUtils.buildX509Certificate:", ex);
}
}
}
Object[] objs = {certAlias};
throw new SAML2MetaException("invalid_cert_alias", objs);
}
/**
* Helper function to retrieve a field from the provided request's query parameters. This exists
* for the old-style interfaces, and takes the parameter name as an argument also.
*
* <p>If the queryParameters contain the "encoded" parameter, then the result is Base64 decoded
* before being returned.
*
* @param request Request containing the parameters to retrieve.
* @param paramName The name of the parameter whose value to (possibly decode) return.
* @return The (possibly decoded) value of the paramName's key within the requests's query
* parameters.
*/
public String getAndDecodeParameter(HttpServletRequest request, String paramName) {
String value = request.getParameter(paramName);
if (value == null) {
return null;
}
String encoded = request.getParameter("encoded");
if (Boolean.parseBoolean(encoded)) {
String decodedParameterValue = Base64.decodeAsUTF8String(value);
if (decodedParameterValue == null && DEBUG.warningEnabled()) {
DEBUG.warning(
"As parameter 'encoded' is true, parameter ['{}']='{}' should be base64 encoded",
paramName,
value);
}
return decodedParameterValue;
} else {
return value;
}
}
/** {@inheritDoc} */
public DeviceCode createDeviceCode(
Set<String> scope,
String clientId,
String nonce,
String responseType,
String state,
String acrValues,
String prompt,
String uiLocales,
String loginHint,
Integer maxAge,
String claims,
OAuth2Request request,
String codeChallenge,
String codeChallengeMethod)
throws ServerException, NotFoundException {
logger.message("DefaultOAuthTokenStoreImpl::Creating Authorization code");
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final String deviceCode = UUID.randomUUID().toString();
String userCode = null;
int i;
for (i = 0; userCode == null && i < 10; i++) {
// A 6-byte array will result in an 8-char Base64 user code.
byte[] randomBytes = new byte[6];
secureRandom.nextBytes(randomBytes);
userCode = Base64.encode(randomBytes);
try {
readDeviceCode(userCode, request);
// code can be found - try again
} catch (InvalidGrantException e) {
// Good, it doesn't exist yet.
break;
} catch (ServerException e) {
logger.message("Could not query CTS, assume duplicate to be safe", e);
}
userCode = null;
}
if (i == 10) {
throw new ServerException("Could not generate a unique user code");
}
long expiryTime =
System.currentTimeMillis() + (1000 * providerSettings.getDeviceCodeLifetime());
final DeviceCode code =
new DeviceCode(
deviceCode,
userCode,
clientId,
nonce,
responseType,
state,
acrValues,
prompt,
uiLocales,
loginHint,
maxAge,
claims,
expiryTime,
scope,
realmNormaliser.normalise(request.<String>getParameter(REALM)),
codeChallenge,
codeChallengeMethod);
// Store in CTS
try {
tokenStore.create(code);
if (auditLogger.isAuditLogEnabled()) {
String[] obs = {"CREATED_DEVICE_CODE", code.toString()};
auditLogger.logAccessMessage("CREATED_DEVICE_CODE", obs, null);
}
} catch (CoreTokenException e) {
if (auditLogger.isAuditLogEnabled()) {
String[] obs = {"FAILED_CREATE_DEVICE_CODE", code.toString()};
auditLogger.logErrorMessage("FAILED_CREATE_DEVICE_CODE", obs, null);
}
logger.error("Unable to create device code " + code, e);
throw new ServerException("Could not create token in CTS");
}
request.setToken(DeviceCode.class, code);
return code;
}
@Override
public String fromJson(Object json) {
String decodedValue = Base64.decodeAsUTF8String((String) json);
return decodedValue == null ? "" : decodedValue;
}
/**
* Initiates <code>SAML</code> web browser POST profile. This method takes in a TARGET in the
* request, creates a SAMLResponse, then redirects user to the destination site.
*
* @param request <code>HttpServletRequest</code> instance
* @param response <code>HttpServletResponse</code> instance
* @throws ServletException if there is an error.
* @throws IOException if there is an error.
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if ((request == null) || (response == null)) {
String[] data = {SAMLUtils.bundle.getString("nullInputParameter")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.NULL_PARAMETER, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"nullInputParameter",
SAMLUtils.bundle.getString("nullInputParameter"));
return;
}
SAMLUtils.checkHTTPContentLength(request);
// get Session
Object token = getSession(request);
if (token == null) {
response.sendRedirect(SAMLUtils.getLoginRedirectURL(request));
return;
}
// obtain TARGET
String target = request.getParameter(SAMLConstants.POST_TARGET_PARAM);
if (target == null || target.length() == 0) {
String[] data = {SAMLUtils.bundle.getString("missingTargetSite")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.MISSING_TARGET, data, token);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_BAD_REQUEST,
"missingTargetSite",
SAMLUtils.bundle.getString("missingTargetSite"));
return;
}
// Get the Destination site Entry
// find the destSite POST URL, which is the Receipient
SAMLServiceManager.SiteEntry destSite = getDestSite(target);
String destSiteUrl = null;
if ((destSite == null) || ((destSiteUrl = destSite.getPOSTUrl()) == null)) {
String[] data = {SAMLUtils.bundle.getString("targetForbidden"), target};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.TARGET_FORBIDDEN, data, token);
SAMLUtils.sendError(
request,
response,
response.SC_BAD_REQUEST,
"targetForbidden",
SAMLUtils.bundle.getString("targetForbidden") + " " + target);
return;
}
Response samlResponse = null;
try {
String version = destSite.getVersion();
int majorVersion = SAMLConstants.PROTOCOL_MAJOR_VERSION;
int minorVersion = SAMLConstants.PROTOCOL_MINOR_VERSION;
if (version != null) {
StringTokenizer st = new StringTokenizer(version, ".");
if (st.countTokens() == 2) {
majorVersion = Integer.parseInt(st.nextToken().trim());
minorVersion = Integer.parseInt(st.nextToken().trim());
}
}
// create assertion
AssertionManager am = AssertionManager.getInstance();
SessionProvider sessionProvider = SessionManager.getProvider();
Assertion assertion =
am.createSSOAssertion(
sessionProvider.getSessionID(token),
null,
request,
response,
destSite.getSourceID(),
target,
majorVersion + "." + minorVersion);
// create SAMLResponse
StatusCode statusCode = new StatusCode(SAMLConstants.STATUS_CODE_SUCCESS);
Status status = new Status(statusCode);
List contents = new ArrayList();
contents.add(assertion);
samlResponse = new Response(null, status, destSiteUrl, contents);
samlResponse.setMajorVersion(majorVersion);
samlResponse.setMinorVersion(minorVersion);
} catch (SessionException sse) {
SAMLUtils.debug.error(
"SAMLPOSTProfileServlet.doGet: Exception " + "Couldn't get SessionProvider:", sse);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"couldNotCreateResponse",
sse.getMessage());
return;
} catch (NumberFormatException ne) {
SAMLUtils.debug.error(
"SAMLPOSTProfileServlet.doGet: Exception " + "when creating Response: ", ne);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"couldNotCreateResponse",
ne.getMessage());
return;
} catch (SAMLException se) {
SAMLUtils.debug.error(
"SAMLPOSTProfileServlet.doGet: Exception " + "when creating Response: ", se);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"couldNotCreateResponse",
se.getMessage());
return;
}
// sign the samlResponse
byte signedBytes[] = null;
try {
samlResponse.signXML();
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message(
"SAMLPOSTProfileServlet.doGet: "
+ "signed samlResponse is"
+ samlResponse.toString(true, true, true));
}
signedBytes = SAMLUtils.getResponseBytes(samlResponse);
} catch (Exception e) {
SAMLUtils.debug.error(
"SAMLPOSTProfileServlet.doGet: Exception " + "when signing the response:", e);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"errorSigningResponse",
SAMLUtils.bundle.getString("errorSigningResponse"));
return;
}
// base64 encode the signed samlResponse
String encodedResponse = null;
try {
encodedResponse = Base64.encode(signedBytes, true).trim();
} catch (Exception e) {
SAMLUtils.debug.error(
"SAMLPOSTProfileServlet.doGet: Exception " + "when encoding the response:", e);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"errorEncodeResponse",
SAMLUtils.bundle.getString("errorEncodeResponse"));
return;
}
if (LogUtils.isAccessLoggable(java.util.logging.Level.FINE)) {
String[] data = {
SAMLUtils.bundle.getString("redirectTo"),
target,
destSiteUrl,
new String(signedBytes, "UTF-8")
};
LogUtils.access(java.util.logging.Level.FINE, LogUtils.REDIRECT_TO_URL, data, token);
} else {
String[] data = {SAMLUtils.bundle.getString("redirectTo"), target, destSiteUrl};
LogUtils.access(java.util.logging.Level.INFO, LogUtils.REDIRECT_TO_URL, data, token);
}
response.setContentType("text/html; charset=UTF-8");
PrintWriter out = response.getWriter();
out.println("<HTML>");
out.println("<BODY Onload=\"document.forms[0].submit()\">");
out.println("<FORM METHOD=\"POST\" ACTION=\"" + destSiteUrl + "\">");
out.println("<INPUT TYPE=\"HIDDEN\" NAME=\"" + SAMLConstants.POST_SAML_RESPONSE_PARAM + "\" ");
out.println("VALUE=\"" + encodedResponse + "\">");
out.println(
"<INPUT TYPE=\"HIDDEN\" NAME=\""
+ SAMLConstants.POST_TARGET_PARAM
+ "\" VALUE=\""
+ target
+ "\"> </FORM>");
out.println("</BODY></HTML>");
out.close();
}
/**
* This method processes TARGET and SAMLResponse info from the request, validates the
* response/assertion(s), then redirects user to the TARGET resource if all are valid.
*
* @param request <code>HttpServletRequest</code> instance
* @param response <code>HttpServletResponse</code> instance
* @throws ServletException if there is an error.
* @throws IOException if there is an error.
*/
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html; charset=UTF-8");
if ((request == null) || (response == null)) {
String[] data = {SAMLUtils.bundle.getString("nullInputParameter")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.NULL_PARAMETER, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_BAD_REQUEST,
"nullInputParameter",
SAMLUtils.bundle.getString("nullInputParameter"));
return;
}
SAMLUtils.checkHTTPContentLength(request);
// obtain TARGET
String target = request.getParameter(SAMLConstants.POST_TARGET_PARAM);
if (target == null || target.length() == 0) {
String[] data = {SAMLUtils.bundle.getString("missingTargetSite")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.MISSING_TARGET, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_BAD_REQUEST,
"missingTargetSite",
SAMLUtils.bundle.getString("missingTargetSite"));
return;
}
// obtain SAMLResponse
String samlResponse = request.getParameter(SAMLConstants.POST_SAML_RESPONSE_PARAM);
if (samlResponse == null) {
String[] data = {SAMLUtils.bundle.getString("missingSAMLResponse")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.MISSING_RESPONSE, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_BAD_REQUEST,
"missingSAMLResponse",
SAMLUtils.bundle.getString("missingSAMLResponse"));
return;
}
// decode the Response
byte raw[] = null;
try {
raw = Base64.decode(samlResponse);
} catch (Exception e) {
SAMLUtils.debug.error(
"SAMLPOSTProfileServlet.doPost: Exception " + "when decoding SAMLResponse:", e);
SAMLUtils.sendError(
request,
response,
response.SC_INTERNAL_SERVER_ERROR,
"errorDecodeResponse",
SAMLUtils.bundle.getString("errorDecodeResponse"));
return;
}
// Get Response back
Response sResponse = SAMLUtils.getResponse(raw);
if (sResponse == null) {
String[] data = {SAMLUtils.bundle.getString("errorObtainResponse")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.RESPONSE_MESSAGE_ERROR, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_BAD_REQUEST,
"errorObtainResponse",
SAMLUtils.bundle.getString("errorObtainResponse"));
return;
}
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("SAMLPOSTProfileServlet.doPost: Received " + sResponse.toString());
}
// verify that Response is correct
StringBuffer requestUrl = request.getRequestURL();
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("SAMLPOSTProfileServlet.doPost: " + "requestUrl=" + requestUrl);
}
boolean valid = SAMLUtils.verifyResponse(sResponse, requestUrl.toString(), request);
if (!valid) {
String[] data = {SAMLUtils.bundle.getString("invalidResponse")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.INVALID_RESPONSE, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_BAD_REQUEST,
"invalidResponse",
SAMLUtils.bundle.getString("invalidResponse"));
return;
}
Map attrMap = null;
List assertions = null;
javax.security.auth.Subject authSubject = null;
try {
Map sessionAttr = SAMLUtils.processResponse(sResponse, target);
Object token = SAMLUtils.generateSession(request, response, sessionAttr);
} catch (Exception ex) {
SAMLUtils.debug.error("generateSession: ", ex);
String[] data = {SAMLUtils.bundle.getString("failedCreateSSOToken")};
LogUtils.error(java.util.logging.Level.INFO, LogUtils.FAILED_TO_CREATE_SSO_TOKEN, data);
SAMLUtils.sendError(
request,
response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"failedCreateSSOToken",
ex.getMessage());
;
return;
}
if (LogUtils.isAccessLoggable(java.util.logging.Level.FINE)) {
String[] data = {SAMLUtils.bundle.getString("accessGranted"), new String(raw, "UTF-8")};
LogUtils.access(java.util.logging.Level.FINE, LogUtils.ACCESS_GRANTED, data);
} else {
String[] data = {SAMLUtils.bundle.getString("accessGranted")};
LogUtils.access(java.util.logging.Level.INFO, LogUtils.ACCESS_GRANTED, data);
}
if (SAMLUtils.postYN(target)) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("POST to target:" + target);
}
SAMLUtils.postToTarget(response, assertions, target, attrMap);
} else {
response.setHeader("Location", target);
response.sendRedirect(target);
}
}