コード例 #1
0
  /**
   * Populates localEntityId and localEntityRole based on the SAMLCredential.
   *
   * @param context context to populate
   * @param credential credential
   * @throws MetadataProviderException in case entity id can' be populated
   */
  protected void populateLocalEntityId(SAMLMessageContext context, SAMLCredential credential)
      throws MetadataProviderException {

    String entityID = credential.getLocalEntityID();
    context.setLocalEntityId(entityID);
    context.setLocalEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
  }
  /**
   * Returns logout request message ready to be sent to the IDP.
   *
   * @param context message context
   * @param credential information about assertions used to log current user in
   * @param bindingService service used to deliver the request
   * @return logoutRequest to be sent to IDP
   * @throws SAMLException error creating the message
   * @throws MetadataProviderException error retrieving metadata
   */
  protected LogoutRequest getLogoutRequest(
      SAMLMessageContext context, SAMLCredential credential, Endpoint bindingService)
      throws SAMLException, MetadataProviderException {

    SAMLObjectBuilder<LogoutRequest> builder =
        (SAMLObjectBuilder<LogoutRequest>)
            builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
    LogoutRequest request = builder.buildObject();
    buildCommonAttributes(context.getLocalEntityId(), request, bindingService);

    // Add session indexes
    SAMLObjectBuilder<SessionIndex> sessionIndexBuilder =
        (SAMLObjectBuilder<SessionIndex>)
            builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME);
    for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) {
      SessionIndex index = sessionIndexBuilder.buildObject();
      index.setSessionIndex(statement.getSessionIndex());
      request.getSessionIndexes().add(index);
    }

    if (request.getSessionIndexes().size() == 0) {
      throw new SAMLException("No session indexes to logout user for were found");
    }

    SAMLObjectBuilder<NameID> nameIDBuilder =
        (SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
    NameID nameID = nameIDBuilder.buildObject();
    nameID.setFormat(credential.getNameID().getFormat());
    nameID.setNameQualifier(credential.getNameID().getNameQualifier());
    nameID.setSPNameQualifier(credential.getNameID().getSPNameQualifier());
    nameID.setSPProvidedID(credential.getNameID().getSPProvidedID());
    nameID.setValue(credential.getNameID().getValue());
    request.setNameID(nameID);

    return request;
  }
  public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
      throws SAMLException, MetadataProviderException, MessageEncodingException {

    SAMLObject message = context.getInboundSAMLMessage();

    // Verify type
    if (message == null || !(message instanceof LogoutRequest)) {
      log.warn("Received request is not of a LogoutRequest object type");
      throw new SAMLException("Error validating SAML request");
    }

    LogoutRequest logoutRequest = (LogoutRequest) message;

    // Make sure request was authenticated if required, authentication is done as part of the
    // binding processing
    if (!context.isInboundSAMLMessageAuthenticated()
        && context.getLocalExtendedMetadata().isRequireLogoutRequestSigned()) {
      log.warn(
          "Logout Request object is required to be signed by the entity policy: "
              + context.getInboundSAMLMessageId());
      Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Message signature is required");
      sendLogoutResponse(status, context);
      return false;
    }

    try {
      // Verify destination
      verifyEndpoint(context.getLocalEntityEndpoint(), logoutRequest.getDestination());
    } catch (SAMLException e) {
      log.warn(
          "Destination of the request {} does not match any singleLogout endpoint",
          logoutRequest.getDestination());
      Status status =
          getStatus(StatusCode.REQUEST_DENIED_URI, "Destination URL of the request is invalid");
      sendLogoutResponse(status, context);
      return false;
    }

    // Verify issuer
    if (logoutRequest.getIssuer() != null) {
      try {
        Issuer issuer = logoutRequest.getIssuer();
        verifyIssuer(issuer, context);
      } catch (SAMLException e) {
        log.warn(
            "Response issue time is either too old or with date in the future, id {}",
            context.getInboundSAMLMessageId());
        Status status =
            getStatus(StatusCode.REQUEST_DENIED_URI, "Issuer of the message is unknown");
        sendLogoutResponse(status, context);
        return false;
      }
    }

    // Verify issue time
    DateTime time = logoutRequest.getIssueInstant();
    if (!isDateTimeSkewValid(getResponseSkew(), time)) {
      log.warn(
          "Response issue time is either too old or with date in the future, id {}.",
          context.getInboundSAMLMessageId());
      Status status =
          getStatus(StatusCode.REQUESTER_URI, "Message has been issued too long time ago");
      sendLogoutResponse(status, context);
      return false;
    }

    // Check whether any user is logged in
    if (credential == null) {
      Status status = getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "No user is logged in");
      sendLogoutResponse(status, context);
      return false;
    }

    // Find index for which the logout is requested
    boolean indexFound = false;
    if (logoutRequest.getSessionIndexes() != null && logoutRequest.getSessionIndexes().size() > 0) {
      for (AuthnStatement statement :
          credential.getAuthenticationAssertion().getAuthnStatements()) {
        String statementIndex = statement.getSessionIndex();
        if (statementIndex != null) {
          for (SessionIndex index : logoutRequest.getSessionIndexes()) {
            if (statementIndex.equals(index.getSessionIndex())) {
              indexFound = true;
            }
          }
        }
      }
    } else {
      indexFound = true;
    }

    // Fail if sessionIndex is not found in any assertion
    if (!indexFound) {

      // Check logout request still valid and store request
      if (logoutRequest.getNotOnOrAfter() != null) {
        // TODO store request for assertions possibly arriving later
      }

      Status status =
          getStatus(StatusCode.REQUESTER_URI, "The requested SessionIndex was not found");
      sendLogoutResponse(status, context);
      return false;
    }

    try {
      // Fail if NameId doesn't correspond to the currently logged user
      NameID nameID = getNameID(context, logoutRequest);
      if (nameID == null || !equalsNameID(credential.getNameID(), nameID)) {
        Status status =
            getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "The requested NameID is invalid");
        sendLogoutResponse(status, context);
        return false;
      }
    } catch (DecryptionException e) {
      Status status = getStatus(StatusCode.RESPONDER_URI, "The NameID can't be decrypted");
      sendLogoutResponse(status, context);
      return false;
    }

    // Message is valid, let's logout
    Status status = getStatus(StatusCode.SUCCESS_URI, null);
    sendLogoutResponse(status, context);

    return true;
  }