encode the failure response for saml 2 authnreq
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / idp / profile / saml2 / AuthenticationRequestBrowserPost.java
1 /*
2  * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
18
19 import javax.servlet.ServletRequest;
20 import javax.servlet.ServletResponse;
21 import javax.servlet.http.HttpServletRequest;
22 import javax.servlet.http.HttpServletResponse;
23 import javax.servlet.http.HttpSession;
24
25 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
26 import edu.internet2.middleware.shibboleth.common.profile.ProfileRequest;
27 import edu.internet2.middleware.shibboleth.common.profile.ProfileResponse;
28 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
29 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
30
31 import org.apache.log4j.Logger;
32 import org.joda.time.DateTime;
33 import org.opensaml.common.SAMLObject;
34 import org.opensaml.common.binding.BindingException;
35 import org.opensaml.common.binding.decoding.MessageDecoder;
36 import org.opensaml.saml2.core.AuthnRequest;
37 import org.opensaml.saml2.core.Issuer;
38 import org.opensaml.saml2.core.Response;
39 import org.opensaml.saml2.metadata.SPSSODescriptor;
40 import org.opensaml.saml2.metadata.provider.MetadataProvider;
41 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
42
43 /**
44  * Browser POST binding for SAML 2 AuthenticationRequest.
45  */
46 public class AuthenticationRequestBrowserPost extends AbstractAuthenticationRequest {
47     
48     /** Class logger. */
49     private static final Logger log = Logger.getLogger(AuthenticationRequestBrowserPost.class);
50     
51     /** SAML 2 Profile ID. */
52     protected static final String PROFILE_ID = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser";
53     
54     /** SAML 2 Binding URI. */
55     protected static final String BINDING_URI = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
56     
57     /** Constructor. */
58     public AuthenticationRequestBrowserPost() {
59         super();
60     }
61     
62     /** {@inheritDoc} */
63     public String getProfileId() {
64         return PROFILE_ID;
65     }
66     
67     /** {@inheritDoc} */
68     public void processRequest(final ProfileRequest<ServletRequest> request,
69             final ProfileResponse<ServletResponse> response)
70             throws ProfileException {
71         
72         // Only http servlets are supported for now.
73         if (!(request.getRawRequest() instanceof HttpServletRequest)) {
74             log.error("Received a non-HTTP request");
75             throw new ProfileException("Received a non-HTTP request");
76         }
77         
78         HttpServletRequest httpRequest = (HttpServletRequest) request.getRawRequest();
79         HttpServletResponse httpResponse = (HttpServletResponse) response.getRawResponse();
80         HttpSession httpSession = httpRequest.getSession();
81         
82         AuthnRequest authnRequest = null;
83         String issuer = null;
84         MetadataProvider metadataProvider = null;
85         RelyingPartyConfiguration relyingParty = null;
86         SSOConfiguration ssoConfig = null;
87         SPSSODescriptor spDescriptor = null;
88         
89         
90         // If the user hasn't been authenticated, validate the AuthnRequest
91         // and redirect to AuthenticationManager to authenticate the user.
92         if (!hasUserAuthenticated(httpSession)) {
93             
94             try {
95                 // decode the AuthnRequest
96                 MessageDecoder<ServletRequest> decoder = getMessageDecoderFactory().getMessageDecoder(BINDING_URI);
97                 if (decoder == null) {
98                     log.error("SAML 2 AuthnRequest: No MessageDecoder registered for " + BINDING_URI);
99                     throw new ProfileException("SAML 2 AuthnRequest: No MessageDecoder registered for " + BINDING_URI);
100                 }
101                 
102                 decoder.setMetadataProvider(getMetadataProvider());
103                 populateMessageDecoder(decoder);
104                 decoder.decode();
105                 
106                 SAMLObject samlObject = decoder.getSAMLMessage();
107                 if (!(samlObject instanceof AuthnRequest)) {
108                     log.error("SAML 2 AuthnRequest: Received message is not a SAML 2 Authentication Request");
109                     throw new ProfileException("SAML 2 AuthnRequest: Received message is not a SAML 2 Authentication Request");
110                 }
111                 
112                 authnRequest = (AuthnRequest) samlObject;
113                 issuer = decoder.getSecurityPolicy().getIssuer();
114                 
115                 // check that we have metadata for the RP
116                 metadataProvider = getRelyingPartyConfigurationManager().getMetadataProvider();
117                 relyingParty = getRelyingPartyConfigurationManager().getRelyingPartyConfiguration(issuer);
118                 ssoConfig = (SSOConfiguration) relyingParty.getProfileConfigurations().get(SSOConfiguration.PROFILE_ID);
119                 
120                 try {
121                     spDescriptor = metadataProvider.getEntityDescriptor(
122                             relyingParty.getRelyingPartyId()).getSPSSODescriptor(
123                             SAML20_PROTOCOL_URI);
124                 } catch (MetadataProviderException ex) {
125                     log.error(
126                             "SAML 2 Authentication Request: Unable to locate metadata for SP "
127                             + issuer + " for protocol " + SAML20_PROTOCOL_URI, ex);
128                     throw new ProfileException("SAML 2 Authentication Request: Unable to locate metadata for SP "
129                             + issuer + " for protocol " + SAML20_PROTOCOL_URI, ex);
130                 }
131                 
132                 if (spDescriptor == null) {
133                     log.error("SAML 2 Authentication Request: Unable to locate metadata for SP "
134                             + issuer + " for protocol " + SAML20_PROTOCOL_URI);
135                     throw new ProfileException("SAML 2 Authentication Request: Unable to locate metadata for SP "
136                             + issuer + " for protocol " + SAML20_PROTOCOL_URI);
137                 }
138                 
139                 verifyAuthnRequest(authnRequest, issuer, relyingParty, httpSession);
140                 storeRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
141                 authenticateUser(authnRequest, httpSession, httpRequest, httpResponse);
142                 
143             } catch (BindingException ex) {
144                 log.error("SAML 2 Authentication Request: Unable to decode SAML 2 Authentication Request", ex);
145                 throw new ProfileException(
146                         "SAML 2 Authentication Request: Unable to decode SAML 2 Authentication Request", ex);
147             } catch (AuthenticationRequestException ex) {
148                 
149                 // AuthN failed. Send the failure status.
150                 retrieveRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
151                 Response failureResponse = buildResponse(authnRequest.getID(), new DateTime(), issuer, ex.getStatus());
152                 encodeResponse(BINDING_URI, response, failureResponse, relyingParty, ssoConfig, spDescriptor);
153             } 
154         }
155         
156         // The user has already been authenticated,
157         // so generate an AuthenticationStatement.
158         retrieveRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
159         Response samlResponse = evaluateRequest(authnRequest, issuer, httpSession, relyingParty, ssoConfig, spDescriptor);
160         encodeResponse(BINDING_URI, response, samlResponse, relyingParty, ssoConfig, spDescriptor);
161     }
162 }