예제 #1
2
  protected void initializeHandlerChain(PicketLinkType picketLinkType) throws Exception {
    SAML2HandlerChain handlerChain;

    // Get the chain from config
    if (isNullOrEmpty(samlHandlerChainClass)) {
      handlerChain = SAML2HandlerChainFactory.createChain();
    } else {
      try {
        handlerChain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass);
      } catch (ProcessingException e1) {
        throw new RuntimeException(e1);
      }
    }

    Handlers handlers = picketLinkType.getHandlers();

    if (handlers == null) {
      // Get the handlers
      String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION;
      handlers =
          ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName));
    }

    picketLinkType.setHandlers(handlers);

    handlerChain.addAll(HandlerUtil.getHandlers(handlers));

    populateChainConfig(picketLinkType);
    SAML2HandlerChainConfig handlerChainConfig =
        new DefaultSAML2HandlerChainConfig(chainConfigOptions);

    Set<SAML2Handler> samlHandlers = handlerChain.handlers();

    for (SAML2Handler handler : samlHandlers) {
      handler.initChainConfig(handlerChainConfig);
    }

    chain = handlerChain;
  }
예제 #2
1
  private boolean handleSAMLRequest(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
    HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
    Set<SAML2Handler> handlers = chain.handlers();

    try {
      ServiceProviderSAMLRequestProcessor requestProcessor =
          new ServiceProviderSAMLRequestProcessor(
              request.getMethod().equals("POST"),
              this.serviceURL,
              this.picketLinkConfiguration,
              this.idpMetadata);
      requestProcessor.setTrustKeyManager(keyManager);
      boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);

      if (isEnableAudit()) {
        PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
        auditEvent.setType(PicketLinkAuditEventType.REQUEST_FROM_IDP);
        auditEvent.setWhoIsAuditing(getContextPath());
        auditHelper.audit(auditEvent);
      }

      // If response is already commited, we need to stop with processing of HTTP request
      if (response.isCommitted()) {
        return false;
      }

      if (result) {
        return result;
      }
    } catch (Exception e) {
      logger.samlSPHandleRequestError(e);
      throw logger.samlSPProcessingExceptionError(e);
    }

    return localAuthentication(request, response);
  }
예제 #3
0
  private boolean handleSAML2Response(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    HttpSession session = request.getSession(true);
    String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
    HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
    Set<SAML2Handler> handlers = chain.handlers();

    Principal principal = request.getUserPrincipal();

    boolean willSendRequest; // deal with SAML response from IDP

    try {
      ServiceProviderSAMLResponseProcessor responseProcessor =
          new ServiceProviderSAMLResponseProcessor(
              request.getMethod().equals("POST"),
              serviceURL,
              this.picketLinkConfiguration,
              this.idpMetadata);
      if (auditHelper != null) {
        responseProcessor.setAuditHelper(auditHelper);
      }

      responseProcessor.setTrustKeyManager(keyManager);

      SAML2HandlerResponse saml2HandlerResponse =
          responseProcessor.process(samlResponse, httpContext, handlers, chainLock);

      Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
      String relayState = saml2HandlerResponse.getRelayState();

      String destination = saml2HandlerResponse.getDestination();

      willSendRequest = saml2HandlerResponse.getSendRequest();

      String destinationQueryStringWithSignature =
          saml2HandlerResponse.getDestinationQueryStringWithSignature();

      if (destination != null && samlResponseDocument != null) {
        sendRequestToIDP(
            destination,
            samlResponseDocument,
            relayState,
            request,
            response,
            willSendRequest,
            destinationQueryStringWithSignature);
      } else {
        // See if the session has been invalidated
        boolean sessionValidity = request.getUserPrincipal() != null;

        if (!sessionValidity) {
          sendToLogoutPage(request, response, session);
          return false;
        }

        // We got a response with the principal
        List<String> roles = saml2HandlerResponse.getRoles();
        if (principal == null) {
          principal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
        }

        if (principal == null) {
          throw new RuntimeException(ErrorCodes.NULL_VALUE + " principal");
        }

        if (isEnableAudit()) {
          PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
          auditEvent.setType(PicketLinkAuditEventType.RESPONSE_FROM_IDP);
          auditEvent.setSubjectName(principal.getName());
          auditEvent.setWhoIsAuditing(getContextPath());
          auditHelper.audit(auditEvent);
        }

        return true;
      }
    } catch (ProcessingException pe) {
      Throwable t = pe.getCause();
      if (t != null && t instanceof AssertionExpiredException) {
        logger.error("Assertion has expired. Asking IDP for reissue");
        if (isEnableAudit()) {
          PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
          auditEvent.setType(PicketLinkAuditEventType.EXPIRED_ASSERTION);
          auditEvent.setAssertionID(((AssertionExpiredException) t).getId());
          auditHelper.audit(auditEvent);
        }
        // Just issue a fresh request back to IDP
        return generalUserRequest(request, response);
      }
      logger.samlSPHandleRequestError(pe);
      throw logger.samlSPProcessingExceptionError(pe);
    } catch (Exception e) {
      logger.samlSPHandleRequestError(e);
      throw logger.samlSPProcessingExceptionError(e);
    }

    return localAuthentication(request, response);
  }
예제 #4
0
  private boolean generalUserRequest(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    HttpSession session = request.getSession(true);
    boolean willSendRequest = false;
    HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
    Set<SAML2Handler> handlers = chain.handlers();

    boolean postBinding = getConfiguration().getBindingType().equals("POST");

    // Neither saml request nor response from IDP
    // So this is a user request
    SAML2HandlerResponse saml2HandlerResponse = null;
    try {
      ServiceProviderBaseProcessor baseProcessor =
          new ServiceProviderBaseProcessor(
              postBinding, serviceURL, this.picketLinkConfiguration, this.idpMetadata);
      if (issuerID != null) {
        baseProcessor.setIssuer(issuerID);
      }

      // If the user has a different desired idp
      String idp = (String) request.getAttribute(DESIRED_IDP);
      if (StringUtil.isNotNull(idp)) {
        baseProcessor.setIdentityURL(idp);
      } else {
        baseProcessor.setIdentityURL(getIdentityURL());
      }
      baseProcessor.setAuditHelper(auditHelper);

      saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
    } catch (ProcessingException pe) {
      logger.samlSPHandleRequestError(pe);
      throw new RuntimeException(pe);
    } catch (ParsingException pe) {
      logger.samlSPHandleRequestError(pe);
      throw new RuntimeException(pe);
    } catch (ConfigurationException pe) {
      logger.samlSPHandleRequestError(pe);
      throw new RuntimeException(pe);
    }

    willSendRequest = saml2HandlerResponse.getSendRequest();

    Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
    String relayState = saml2HandlerResponse.getRelayState();

    String destination = saml2HandlerResponse.getDestination();
    String destinationQueryStringWithSignature =
        saml2HandlerResponse.getDestinationQueryStringWithSignature();

    if (destination != null && samlResponseDocument != null) {
      try {
        if (isEnableAudit()) {
          PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
          auditEvent.setType(PicketLinkAuditEventType.REQUEST_TO_IDP);
          auditEvent.setWhoIsAuditing(getContextPath());
          auditHelper.audit(auditEvent);
        }
        sendRequestToIDP(
            destination,
            samlResponseDocument,
            relayState,
            request,
            response,
            willSendRequest,
            destinationQueryStringWithSignature);
        return false;
      } catch (Exception e) {
        logger.samlSPHandleRequestError(e);
        throw logger.samlSPProcessingExceptionError(e);
      }
    }

    return localAuthentication(request, response);
  }