/** * Processes the termination request received from a remote provider. Invoded when Http redirect * profile is used. * * @param request HTTP request * @param response HTTP response * @param reqTermination the federation termination request received from remote provider */ public void processTerminationRequest( HttpServletRequest request, HttpServletResponse response, FSFederationTerminationNotification reqTermination) { FSUtils.debug.message("Entered FSFedTerminationHandler::processTerminationRequest..."); this.request = request; this.locale = FSServiceUtils.getLocale(request); this.response = response; this.relayState = reqTermination.getRelayState(); setTerminationURL(); if (managerInst == null) { FSUtils.debug.error( "FSSPFedTerminationHandler " + FSUtils.bundle.getString(IFSConstants.FEDERATION_FAILED_ACCOUNT_INSTANCE)); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSSPFedTerminationHandler::handleFederationTermination" + "failed to get Account Manager instance"); } returnToSource(); return; } boolean bStatus = updateAccountInformation(reqTermination.getNameIdentifier()); if (!bStatus) { FSUtils.debug.message("Termination request processing failed"); String[] data = { FSUtils.bundle.getString(IFSConstants.TERMINATION_REQUEST_PROCESSING_FAILED) }; LogUtil.error(Level.INFO, LogUtil.TERMINATION_FAILED, data, ssoToken); returnToSource(); return; } FSUtils.debug.message("User sucessfully defederated"); String[] data = {FSUtils.bundle.getString(IFSConstants.TERMINATION_SUCCEEDED)}; LogUtil.access(Level.INFO, LogUtil.TERMINATION_SUCCESS, data, ssoToken); // Call SP Adaper for remote IDP initiated HTTP profile if (hostedProviderRole != null && hostedProviderRole.equalsIgnoreCase(IFSConstants.SP)) { FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig); if (spAdapter != null) { FSUtils.debug.message("FSFedTerminationHandler.HTTP"); try { spAdapter.postTerminationNotificationSuccess( hostedEntityId, request, response, userID, reqTermination, IFSConstants.TERMINATION_IDP_HTTP_PROFILE); } catch (Exception e) { // ignore adapter exception FSUtils.debug.error("postTermNotification.IDP/HTTP", e); } } } returnToSource(); return; }
/** * Finds the user based on the termination request received from a remote provider. * * @param reqTermination the termination request * @return <code>true</code> if the user is found; <code>false</code> otherwise. */ public boolean setUserID(FSFederationTerminationNotification reqTermination) { try { // UserDN needs to be figured from termination request String sourceProviderId = ""; if (managerInst != null) { sourceProviderId = reqTermination.getProviderId(); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("sourceProviderId : " + sourceProviderId); } String opaqueHandle = (reqTermination.getNameIdentifier()).getName().trim(); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("processTerminationRequest Handle : " + opaqueHandle); } String associatedDomain = (reqTermination.getNameIdentifier().getNameQualifier()).trim(); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("Name Qualifier : " + associatedDomain); } if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("Realm : " + realm); } String searchDomain = hostedEntityId; if ((associatedDomain != null) && (associatedDomain.length() != 0) && (!sourceProviderId.equals(associatedDomain))) { searchDomain = associatedDomain; } FSAccountFedInfoKey acctkey = new FSAccountFedInfoKey(searchDomain, opaqueHandle); Map env = new HashMap(); env.put(IFSConstants.FS_USER_PROVIDER_ENV_TERMINATION_KEY, reqTermination); this.userID = managerInst.getUserID(acctkey, realm, env); if (this.userID == null) { acctkey = new FSAccountFedInfoKey(remoteEntityId, opaqueHandle); this.userID = managerInst.getUserID(acctkey, realm, env); if (this.userID == null) { FSUtils.debug.message("UserID is null"); return false; } } if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("user id is " + userID); } return true; } } catch (FSAccountMgmtException e) { FSUtils.debug.error("In FSAccountMgmtException :: ", e); } this.userID = null; return false; }
/** * Generates Federation termination request based onthe <code>FSAccountFedInfo</code> object that * represents the account federation for a user between 2 providers. * * @param acctInfo represents the current user account information * @return termination request message */ private FSFederationTerminationNotification createFederationTerminationRequest( FSAccountFedInfo acctInfo) { FSUtils.debug.message("FSFedTerminationHandler::createFederationTerminationRequest:"); FSFederationTerminationNotification reqName = new FSFederationTerminationNotification(); if (reqName != null) { NameIdentifier nameIdentifier = acctInfo.getRemoteNameIdentifier(); if (nameIdentifier == null) { nameIdentifier = acctInfo.getLocalNameIdentifier(); } if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("SP Provider Id : " + hostedEntityId); } reqName.setProviderId(hostedEntityId); reqName.setNameIdentifier(nameIdentifier); // TODO: Any more member settings + signature return reqName; } else { FSUtils.debug.message("failed to create termination request"); FSUtils.debug.error( "FSFedTerminationHandler::createFederationTerminationRequest " + FSUtils.bundle.getString(IFSConstants.TERMINATION_REQUEST_CREATION)); return null; } }
/** * Initiates federation termination at remote end. The termination requested is constructed and * based on the profile the request is sent over SOAP or as HTTP redirect. Profile is always based * on the SPs profile * * @param acctInfo represents the user account federation information * @return <code>true</code> if termination request is sent to remote provider successfully; * <code>false</code> otherwise. */ private boolean doFederationTermination( HttpServletRequest request, HttpServletResponse response, FSAccountFedInfo acctInfo) { FSUtils.debug.message("Entered FSFedTerminationHandler::doFederationTermination"); try { if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSFedTerminationHandler::doFederationTermination create" + " request start"); } FSFederationTerminationNotification reqFedTermination = createFederationTerminationRequest(acctInfo); reqFedTermination.setMinorVersion( FSServiceUtils.getMinorVersion(remoteDescriptor.getProtocolSupportEnumeration())); if (reqFedTermination == null) { if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSIDPFedTerminationHandler::Termination request could " + "not be formed"); } // Always show success page since local termination succeeded FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSIDPFedTerminationHandler::Termination request formed" + "successfully"); } // Find out which profile to use boolean isSOAPProfile = true; if (acctInfo.isRoleIDP()) { List hostProfiles = hostedDescriptor.getFederationTerminationNotificationProtocolProfile(); if (hostProfiles == null || hostProfiles.isEmpty()) { FSUtils.debug.error( "FSFedTerminationHandler::" + "doFederationTermination no termination profile" + " cannot process request"); FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } String profile = (String) hostProfiles.iterator().next(); if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_SOAP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_SOAP_PROFILE)) { isSOAPProfile = true; } else if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_HTTP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_HTTP_PROFILE)) { isSOAPProfile = false; } else { FSUtils.debug.error( "FSFedTerminationHandler::" + "doFederationTermination Invalid termination profile" + " cannot process request"); FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } } else { List remoteProfiles = remoteDescriptor.getFederationTerminationNotificationProtocolProfile(); if (remoteProfiles == null || remoteProfiles.isEmpty()) { FSUtils.debug.error( "FSFedTerminationHandler::" + "doFederationTermination no termination profile" + " cannot process request"); FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } String profile = (String) remoteProfiles.iterator().next(); if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_SOAP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_SOAP_PROFILE)) { isSOAPProfile = true; } else if (profile.equalsIgnoreCase(IFSConstants.TERMINATION_SP_HTTP_PROFILE) || profile.equalsIgnoreCase(IFSConstants.TERMINATION_IDP_HTTP_PROFILE)) { isSOAPProfile = false; } else { FSUtils.debug.error( "FSFedTerminationHandler::" + "doFederationTermination Invalid termination profile" + " cannot process request"); FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } } if (isSOAPProfile) { FSSOAPService instSOAP = FSSOAPService.getInstance(); if (instSOAP != null) { FSUtils.debug.message("Signing suceeded. To call bindTerminationRequest"); // String id = reqFedTermination.getRequestID(); reqFedTermination.setID(IFSConstants.TERMINATIONID); SOAPMessage msgTermination = instSOAP.bind(reqFedTermination.toXMLString(true, true)); if (msgTermination != null) { try { if (FSServiceUtils.isSigningOn()) { int minorVersion = reqFedTermination.getMinorVersion(); if (minorVersion == IFSConstants.FF_11_PROTOCOL_MINOR_VERSION) { msgTermination = signTerminationRequest( msgTermination, IFSConstants.ID, reqFedTermination.getID()); } else if (minorVersion == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) { msgTermination = signTerminationRequest( msgTermination, IFSConstants.REQUEST_ID, reqFedTermination.getRequestID()); } else { FSUtils.debug.message("invalid minor version."); } } boolean sendStatus = instSOAP.sendTerminationMessage( msgTermination, remoteDescriptor.getSoapEndpoint()); // Call SP Adapter for SP initiated SOAP profile if (hostedProviderRole != null && hostedProviderRole.equalsIgnoreCase(IFSConstants.SP)) { FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig); if (spAdapter != null) { try { spAdapter.postTerminationNotificationSuccess( hostedEntityId, request, response, userID, reqFedTermination, IFSConstants.TERMINATION_SP_SOAP_PROFILE); } catch (Exception e) { // ignore adapter exception FSUtils.debug.error("postTerm.SP/SOAP", e); } } } // Always show success page since local termination // succeeded and that is what is important FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return sendStatus; } catch (Exception e) { FSUtils.debug.error( "FSFedTerminationHandler::" + "doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE)); // Always show success page since local // termination succeeded FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } } else { if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSSPFedTerminationHandler::doFederation" + "Termination failed. Error in forming Message"); } FSUtils.debug.error( "FSSPFedTerminationHandler.doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE)); // Always show success page since local termination // succeeded FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } } if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSFedTerminationHandler::doFederationTermination " + "failed. Cannot get Service Manager instance"); } FSUtils.debug.error( "FSSPFedTerminationHandler::doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE)); // Always show success page since local termination succeeded FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; } else { if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSFedTerminationHandler::doFederationTermination " + "In Redirect profile"); } String urlEncodedRequest = reqFedTermination.toURLEncodedQueryString(); // Sign the request querystring if (FSServiceUtils.isSigningOn()) { String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig( hostedConfig, IFSConstants.SIGNING_CERT_ALIAS); if (certAlias == null || certAlias.length() == 0) { if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSBrowserArtifactConsumerHandler:: " + "signSAMLRequest:" + "couldn't obtain this site's cert alias."); } throw new SAMLResponderException(FSUtils.bundle.getString(IFSConstants.NO_CERT_ALIAS)); } urlEncodedRequest = FSSignatureUtil.signAndReturnQueryString(urlEncodedRequest, certAlias); } StringBuffer redirectURL = new StringBuffer(); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("Request to be sent : " + urlEncodedRequest); } String retURL = remoteDescriptor.getFederationTerminationServiceURL(); redirectURL.append(retURL); if (retURL.indexOf(IFSConstants.QUESTION_MARK) == -1) { redirectURL.append(IFSConstants.QUESTION_MARK); } else { redirectURL.append(IFSConstants.AMPERSAND); } redirectURL.append(urlEncodedRequest); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSFedTerminationHandler::Redirect URL is " + redirectURL.toString()); } // Call SP Adaper for SP initiated HTTP profile // ideally this should be called from the // FSTerminationReturnServlet, but info not available there if (hostedProviderRole != null && hostedProviderRole.equalsIgnoreCase(IFSConstants.SP)) { FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig); if (spAdapter != null) { try { spAdapter.postTerminationNotificationSuccess( hostedEntityId, request, response, userID, reqFedTermination, IFSConstants.TERMINATION_SP_HTTP_PROFILE); } catch (Exception e) { // ignore adapter exception FSUtils.debug.error("postTerm.SP/HTTP", e); } } } response.sendRedirect(redirectURL.toString()); return true; } } catch (IOException e) { FSUtils.debug.error( "FSFedTerminationHandler" + FSUtils.bundle.getString(IFSConstants.FEDERATION_REDIRECT_FAILED)); } catch (FSMsgException e) { FSUtils.debug.error( "FSFedTerminationHandler::doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE)); } catch (SAMLResponderException e) { FSUtils.debug.error( "FSFedTerminationHandler::doFederationTermination " + FSUtils.bundle.getString(IFSConstants.TERMINATION_FAILED_SEND_REMOTE)); } // Always show success page since local termination succeeded FSServiceUtils.returnLocallyAfterOperation( response, termination_done_url, true, IFSConstants.TERMINATION_SUCCESS, IFSConstants.TERMINATION_FAILURE); return false; }
/** * Processes the termination request received from a remote provider. Invoded when SOAP profile is * used. * * @param reqTermination the federation termination request received from remote provider * @return <code>true</code> when the process is successful; <code>false</code> otherwise. */ public boolean processSOAPTerminationRequest( HttpServletRequest request, HttpServletResponse response, FSFederationTerminationNotification reqTermination) { FSUtils.debug.message("Entered FSFedTerminationHandler::processSOAPTerminationRequest"); if (managerInst == null) { FSUtils.debug.error("FSSPFedTerminationHandler " + "Account Manager instance is null"); if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message( "FSSPFedTerminationHandler::handleFederationTermination" + "failed to get Account Manager instance"); } return false; } if (FSUtils.debug.messageEnabled()) { FSUtils.debug.message("Begin processTerminationRequest SOAP profile..."); } boolean bStatus = false; if (reqTermination != null) { boolean bUserStatus = setUserID(reqTermination); if (bUserStatus) { bStatus = updateAccountInformation(reqTermination.getNameIdentifier()); if (!bStatus) { FSUtils.debug.error( "FSFedTerminationHandler " + FSUtils.bundle.getString(IFSConstants.TERMINATION_REQUEST_PROCESSING_FAILED)); return false; } else { FSUtils.debug.message("User sucessfully defederated"); // Call SP Adapter for remote IDP initiated SOAP case if (hostedProviderRole != null && hostedProviderRole.equalsIgnoreCase(IFSConstants.SP)) { FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig); if (spAdapter != null) { FSUtils.debug.message("FSFedTerminationHandler.SOAP"); try { spAdapter.postTerminationNotificationSuccess( hostedEntityId, request, response, userID, reqTermination, IFSConstants.TERMINATION_IDP_SOAP_PROFILE); } catch (Exception e) { // ignore adapter exception FSUtils.debug.error("postTerm.IDP/SOAP", e); } } } return true; } } else { FSUtils.debug.message("Failed to get UserDN. Invalid termination request"); return false; } } else { FSUtils.debug.error( "FSFedTerminationHandler::processTerminationRequest " + "Federation termination request is improper"); return false; } }