示例#1
1
  private boolean handleSAMLRequest(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
    HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
    Set<SAML2Handler> handlers = chain.handlers();

    try {
      ServiceProviderSAMLRequestProcessor requestProcessor =
          new ServiceProviderSAMLRequestProcessor(
              request.getMethod().equals("POST"),
              this.serviceURL,
              this.picketLinkConfiguration,
              this.idpMetadata);
      requestProcessor.setTrustKeyManager(keyManager);
      boolean result = requestProcessor.process(samlRequest, httpContext, handlers, chainLock);

      if (isEnableAudit()) {
        PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
        auditEvent.setType(PicketLinkAuditEventType.REQUEST_FROM_IDP);
        auditEvent.setWhoIsAuditing(getContextPath());
        auditHelper.audit(auditEvent);
      }

      // If response is already commited, we need to stop with processing of HTTP request
      if (response.isCommitted()) {
        return false;
      }

      if (result) {
        return result;
      }
    } catch (Exception e) {
      logger.samlSPHandleRequestError(e);
      throw logger.samlSPProcessingExceptionError(e);
    }

    return localAuthentication(request, response);
  }
示例#2
0
  protected void processConfiguration(FilterConfig filterConfig) {
    InputStream is;

    if (isNullOrEmpty(this.configFile)) {
      is = servletContext.getResourceAsStream(CONFIG_FILE_LOCATION);
    } else {
      try {
        is = new FileInputStream(this.configFile);
      } catch (FileNotFoundException e) {
        throw logger.samlIDPConfigurationError(e);
      }
    }

    PicketLinkType picketLinkType;

    String configurationProviderName = filterConfig.getInitParameter(CONFIGURATION_PROVIDER);

    if (configurationProviderName != null) {
      try {
        Class<?> clazz = SecurityActions.loadClass(getClass(), configurationProviderName);

        if (clazz == null) {
          throw new ClassNotFoundException(ErrorCodes.CLASS_NOT_LOADED + configurationProviderName);
        }

        this.configProvider = (SAMLConfigurationProvider) clazz.newInstance();
      } catch (Exception e) {
        throw new RuntimeException(
            "Could not create configuration provider [" + configurationProviderName + "].", e);
      }
    }

    try {
      // Work on the IDP Configuration
      if (configProvider != null) {
        try {
          if (is == null) {
            // Try the older version
            is =
                servletContext.getResourceAsStream(
                    GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION);

            // Additionally parse the deprecated config file
            if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) {
              ((AbstractSAMLConfigurationProvider) configProvider).setConfigFile(is);
            }
          } else {
            // Additionally parse the consolidated config file
            if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) {
              ((AbstractSAMLConfigurationProvider) configProvider).setConsolidatedConfigFile(is);
            }
          }

          picketLinkType = configProvider.getPicketLinkConfiguration();
          picketLinkType.setIdpOrSP(configProvider.getSPConfiguration());
        } catch (ProcessingException e) {
          throw logger.samlSPConfigurationError(e);
        } catch (ParsingException e) {
          throw logger.samlSPConfigurationError(e);
        }
      } else {
        if (is != null) {
          try {
            picketLinkType = ConfigurationUtil.getConfiguration(is);
          } catch (ParsingException e) {
            logger.trace(e);
            throw logger.samlSPConfigurationError(e);
          }
        } else {
          is = servletContext.getResourceAsStream(GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION);
          if (is == null) {
            throw logger.configurationFileMissing(configFile);
          }

          picketLinkType = new PicketLinkType();

          picketLinkType.setIdpOrSP(ConfigurationUtil.getSPConfiguration(is));
        }
      }

      // Close the InputStream as we no longer need it
      if (is != null) {
        try {
          is.close();
        } catch (IOException e) {
          // ignore
        }
      }

      Boolean enableAudit = picketLinkType.isEnableAudit();

      // See if we have the system property enabled
      if (!enableAudit) {
        String sysProp = SecurityActions.getSystemProperty(GeneralConstants.AUDIT_ENABLE, "NULL");
        if (!"NULL".equals(sysProp)) {
          enableAudit = Boolean.parseBoolean(sysProp);
        }
      }

      if (enableAudit) {
        if (auditHelper == null) {
          String securityDomainName = PicketLinkAuditHelper.getSecurityDomainName(servletContext);

          auditHelper = new PicketLinkAuditHelper(securityDomainName);
        }
      }

      SPType spConfiguration = (SPType) picketLinkType.getIdpOrSP();
      processIdPMetadata(spConfiguration);

      this.serviceURL = spConfiguration.getServiceURL();
      this.canonicalizationMethod = spConfiguration.getCanonicalizationMethod();
      this.picketLinkConfiguration = picketLinkType;

      this.issuerID = filterConfig.getInitParameter(ISSUER_ID);
      this.characterEncoding = filterConfig.getInitParameter(CHARACTER_ENCODING);
      this.samlHandlerChainClass = filterConfig.getInitParameter(SAML_HANDLER_CHAIN_CLASS);

      logger.samlSPSettingCanonicalizationMethod(canonicalizationMethod);
      XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod);

      try {
        this.initKeyProvider();
        this.initializeHandlerChain(picketLinkType);
      } catch (Exception e) {
        throw new RuntimeException(e);
      }

      logger.trace("Identity Provider URL=" + getConfiguration().getIdentityURL());
    } catch (Exception e) {
      throw new RuntimeException(e);
    }
  }
示例#3
0
  private boolean handleSAML2Response(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    HttpSession session = request.getSession(true);
    String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
    HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
    Set<SAML2Handler> handlers = chain.handlers();

    Principal principal = request.getUserPrincipal();

    boolean willSendRequest; // deal with SAML response from IDP

    try {
      ServiceProviderSAMLResponseProcessor responseProcessor =
          new ServiceProviderSAMLResponseProcessor(
              request.getMethod().equals("POST"),
              serviceURL,
              this.picketLinkConfiguration,
              this.idpMetadata);
      if (auditHelper != null) {
        responseProcessor.setAuditHelper(auditHelper);
      }

      responseProcessor.setTrustKeyManager(keyManager);

      SAML2HandlerResponse saml2HandlerResponse =
          responseProcessor.process(samlResponse, httpContext, handlers, chainLock);

      Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
      String relayState = saml2HandlerResponse.getRelayState();

      String destination = saml2HandlerResponse.getDestination();

      willSendRequest = saml2HandlerResponse.getSendRequest();

      String destinationQueryStringWithSignature =
          saml2HandlerResponse.getDestinationQueryStringWithSignature();

      if (destination != null && samlResponseDocument != null) {
        sendRequestToIDP(
            destination,
            samlResponseDocument,
            relayState,
            request,
            response,
            willSendRequest,
            destinationQueryStringWithSignature);
      } else {
        // See if the session has been invalidated
        boolean sessionValidity = request.getUserPrincipal() != null;

        if (!sessionValidity) {
          sendToLogoutPage(request, response, session);
          return false;
        }

        // We got a response with the principal
        List<String> roles = saml2HandlerResponse.getRoles();
        if (principal == null) {
          principal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
        }

        if (principal == null) {
          throw new RuntimeException(ErrorCodes.NULL_VALUE + " principal");
        }

        if (isEnableAudit()) {
          PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
          auditEvent.setType(PicketLinkAuditEventType.RESPONSE_FROM_IDP);
          auditEvent.setSubjectName(principal.getName());
          auditEvent.setWhoIsAuditing(getContextPath());
          auditHelper.audit(auditEvent);
        }

        return true;
      }
    } catch (ProcessingException pe) {
      Throwable t = pe.getCause();
      if (t != null && t instanceof AssertionExpiredException) {
        logger.error("Assertion has expired. Asking IDP for reissue");
        if (isEnableAudit()) {
          PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
          auditEvent.setType(PicketLinkAuditEventType.EXPIRED_ASSERTION);
          auditEvent.setAssertionID(((AssertionExpiredException) t).getId());
          auditHelper.audit(auditEvent);
        }
        // Just issue a fresh request back to IDP
        return generalUserRequest(request, response);
      }
      logger.samlSPHandleRequestError(pe);
      throw logger.samlSPProcessingExceptionError(pe);
    } catch (Exception e) {
      logger.samlSPHandleRequestError(e);
      throw logger.samlSPProcessingExceptionError(e);
    }

    return localAuthentication(request, response);
  }
示例#4
0
  private boolean generalUserRequest(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    HttpSession session = request.getSession(true);
    boolean willSendRequest = false;
    HTTPContext httpContext = new HTTPContext(request, response, this.servletContext);
    Set<SAML2Handler> handlers = chain.handlers();

    boolean postBinding = getConfiguration().getBindingType().equals("POST");

    // Neither saml request nor response from IDP
    // So this is a user request
    SAML2HandlerResponse saml2HandlerResponse = null;
    try {
      ServiceProviderBaseProcessor baseProcessor =
          new ServiceProviderBaseProcessor(
              postBinding, serviceURL, this.picketLinkConfiguration, this.idpMetadata);
      if (issuerID != null) {
        baseProcessor.setIssuer(issuerID);
      }

      // If the user has a different desired idp
      String idp = (String) request.getAttribute(DESIRED_IDP);
      if (StringUtil.isNotNull(idp)) {
        baseProcessor.setIdentityURL(idp);
      } else {
        baseProcessor.setIdentityURL(getIdentityURL());
      }
      baseProcessor.setAuditHelper(auditHelper);

      saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
    } catch (ProcessingException pe) {
      logger.samlSPHandleRequestError(pe);
      throw new RuntimeException(pe);
    } catch (ParsingException pe) {
      logger.samlSPHandleRequestError(pe);
      throw new RuntimeException(pe);
    } catch (ConfigurationException pe) {
      logger.samlSPHandleRequestError(pe);
      throw new RuntimeException(pe);
    }

    willSendRequest = saml2HandlerResponse.getSendRequest();

    Document samlResponseDocument = saml2HandlerResponse.getResultingDocument();
    String relayState = saml2HandlerResponse.getRelayState();

    String destination = saml2HandlerResponse.getDestination();
    String destinationQueryStringWithSignature =
        saml2HandlerResponse.getDestinationQueryStringWithSignature();

    if (destination != null && samlResponseDocument != null) {
      try {
        if (isEnableAudit()) {
          PicketLinkAuditEvent auditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
          auditEvent.setType(PicketLinkAuditEventType.REQUEST_TO_IDP);
          auditEvent.setWhoIsAuditing(getContextPath());
          auditHelper.audit(auditEvent);
        }
        sendRequestToIDP(
            destination,
            samlResponseDocument,
            relayState,
            request,
            response,
            willSendRequest,
            destinationQueryStringWithSignature);
        return false;
      } catch (Exception e) {
        logger.samlSPHandleRequestError(e);
        throw logger.samlSPProcessingExceptionError(e);
      }
    }

    return localAuthentication(request, response);
  }