protected void initializeHandlerChain(PicketLinkType picketLinkType) throws Exception { SAML2HandlerChain handlerChain; // Get the chain from config if (isNullOrEmpty(samlHandlerChainClass)) { handlerChain = SAML2HandlerChainFactory.createChain(); } else { try { handlerChain = SAML2HandlerChainFactory.createChain(this.samlHandlerChainClass); } catch (ProcessingException e1) { throw new RuntimeException(e1); } } Handlers handlers = picketLinkType.getHandlers(); if (handlers == null) { // Get the handlers String handlerConfigFileName = GeneralConstants.HANDLER_CONFIG_FILE_LOCATION; handlers = ConfigurationUtil.getHandlers(servletContext.getResourceAsStream(handlerConfigFileName)); } picketLinkType.setHandlers(handlers); handlerChain.addAll(HandlerUtil.getHandlers(handlers)); populateChainConfig(picketLinkType); SAML2HandlerChainConfig handlerChainConfig = new DefaultSAML2HandlerChainConfig(chainConfigOptions); Set<SAML2Handler> samlHandlers = handlerChain.handlers(); for (SAML2Handler handler : samlHandlers) { handler.initChainConfig(handlerChainConfig); } chain = handlerChain; }
private boolean handleSAMLRequest(HttpServletRequest request, HttpServletResponse response) throws IOException { String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); HTTPContext httpContext = new HTTPContext(request, response, this.servletContext); Set<SAML2Handler> handlers = chain.handlers(); try { ServiceProviderSAMLRequestProcessor requestProcessor = new ServiceProviderSAMLRequestProcessor( request.getMethod().equals("POST"), this.serviceURL, this.picketLinkConfiguration, this.idpMetadata); requestProcessor.setTrustKeyManager(keyManager); boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock); if (isEnableAudit()) { PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO); auditEvent.setType(PicketLinkAuditEventType.REQUEST_FROM_IDP); auditEvent.setWhoIsAuditing(getContextPath()); auditHelper.audit(auditEvent); } // If response is already commited, we need to stop with processing of HTTP request if (response.isCommitted()) { return false; } if (result) { return result; } } catch (Exception e) { logger.samlSPHandleRequestError(e); throw logger.samlSPProcessingExceptionError(e); } return localAuthentication(request, response); }
private boolean handleSAML2Response(HttpServletRequest request, HttpServletResponse response) throws IOException { HttpSession session = request.getSession(true); String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); HTTPContext httpContext = new HTTPContext(request, response, this.servletContext); Set<SAML2Handler> handlers = chain.handlers(); Principal principal = request.getUserPrincipal(); boolean willSendRequest; // deal with SAML response from IDP try { ServiceProviderSAMLResponseProcessor responseProcessor = new ServiceProviderSAMLResponseProcessor( request.getMethod().equals("POST"), serviceURL, this.picketLinkConfiguration, this.idpMetadata); if (auditHelper != null) { responseProcessor.setAuditHelper(auditHelper); } responseProcessor.setTrustKeyManager(keyManager); SAML2HandlerResponse saml2HandlerResponse = responseProcessor.process(samlResponse, httpContext, handlers, chainLock); Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); String relayState = saml2HandlerResponse.getRelayState(); String destination = saml2HandlerResponse.getDestination(); willSendRequest = saml2HandlerResponse.getSendRequest(); String destinationQueryStringWithSignature = saml2HandlerResponse.getDestinationQueryStringWithSignature(); if (destination != null && samlResponseDocument != null) { sendRequestToIDP( destination, samlResponseDocument, relayState, request, response, willSendRequest, destinationQueryStringWithSignature); } else { // See if the session has been invalidated boolean sessionValidity = request.getUserPrincipal() != null; if (!sessionValidity) { sendToLogoutPage(request, response, session); return false; } // We got a response with the principal List<String> roles = saml2HandlerResponse.getRoles(); if (principal == null) { principal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID); } if (principal == null) { throw new RuntimeException(ErrorCodes.NULL_VALUE + " principal"); } if (isEnableAudit()) { PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO); auditEvent.setType(PicketLinkAuditEventType.RESPONSE_FROM_IDP); auditEvent.setSubjectName(principal.getName()); auditEvent.setWhoIsAuditing(getContextPath()); auditHelper.audit(auditEvent); } return true; } } catch (ProcessingException pe) { Throwable t = pe.getCause(); if (t != null && t instanceof AssertionExpiredException) { logger.error("Assertion has expired. Asking IDP for reissue"); if (isEnableAudit()) { PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO); auditEvent.setType(PicketLinkAuditEventType.EXPIRED_ASSERTION); auditEvent.setAssertionID(((AssertionExpiredException) t).getId()); auditHelper.audit(auditEvent); } // Just issue a fresh request back to IDP return generalUserRequest(request, response); } logger.samlSPHandleRequestError(pe); throw logger.samlSPProcessingExceptionError(pe); } catch (Exception e) { logger.samlSPHandleRequestError(e); throw logger.samlSPProcessingExceptionError(e); } return localAuthentication(request, response); }
private boolean generalUserRequest(HttpServletRequest request, HttpServletResponse response) throws IOException { HttpSession session = request.getSession(true); boolean willSendRequest = false; HTTPContext httpContext = new HTTPContext(request, response, this.servletContext); Set<SAML2Handler> handlers = chain.handlers(); boolean postBinding = getConfiguration().getBindingType().equals("POST"); // Neither saml request nor response from IDP // So this is a user request SAML2HandlerResponse saml2HandlerResponse = null; try { ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor( postBinding, serviceURL, this.picketLinkConfiguration, this.idpMetadata); if (issuerID != null) { baseProcessor.setIssuer(issuerID); } // If the user has a different desired idp String idp = (String) request.getAttribute(DESIRED_IDP); if (StringUtil.isNotNull(idp)) { baseProcessor.setIdentityURL(idp); } else { baseProcessor.setIdentityURL(getIdentityURL()); } baseProcessor.setAuditHelper(auditHelper); saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock); } catch (ProcessingException pe) { logger.samlSPHandleRequestError(pe); throw new RuntimeException(pe); } catch (ParsingException pe) { logger.samlSPHandleRequestError(pe); throw new RuntimeException(pe); } catch (ConfigurationException pe) { logger.samlSPHandleRequestError(pe); throw new RuntimeException(pe); } willSendRequest = saml2HandlerResponse.getSendRequest(); Document samlResponseDocument = saml2HandlerResponse.getResultingDocument(); String relayState = saml2HandlerResponse.getRelayState(); String destination = saml2HandlerResponse.getDestination(); String destinationQueryStringWithSignature = saml2HandlerResponse.getDestinationQueryStringWithSignature(); if (destination != null && samlResponseDocument != null) { try { if (isEnableAudit()) { PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO); auditEvent.setType(PicketLinkAuditEventType.REQUEST_TO_IDP); auditEvent.setWhoIsAuditing(getContextPath()); auditHelper.audit(auditEvent); } sendRequestToIDP( destination, samlResponseDocument, relayState, request, response, willSendRequest, destinationQueryStringWithSignature); return false; } catch (Exception e) { logger.samlSPHandleRequestError(e); throw logger.samlSPProcessingExceptionError(e); } } return localAuthentication(request, response); }