sync up with shib-common
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / idp / profile / saml2 / AuthenticationRequestBrowserPost.java
1 /*
2  * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
18
19 import javax.servlet.ServletRequest;
20 import javax.servlet.ServletResponse;
21 import javax.servlet.http.HttpServletRequest;
22 import javax.servlet.http.HttpServletResponse;
23 import javax.servlet.http.HttpSession;
24
25 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
26 import edu.internet2.middleware.shibboleth.common.profile.ProfileRequest;
27 import edu.internet2.middleware.shibboleth.common.profile.ProfileResponse;
28 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
29 import edu.internet2.middleware.shibboleth.common.relyingparty.saml2.SSOConfiguration;
30
31 import org.apache.log4j.Logger;
32 import org.opensaml.common.SAMLObject;
33 import org.opensaml.common.binding.BindingException;
34 import org.opensaml.common.binding.decoding.MessageDecoder;
35 import org.opensaml.saml2.core.AuthnRequest;
36 import org.opensaml.saml2.core.Issuer;
37 import org.opensaml.saml2.core.Response;
38 import org.opensaml.saml2.metadata.SPSSODescriptor;
39 import org.opensaml.saml2.metadata.provider.MetadataProvider;
40 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
41
42 /**
43  * Browser POST binding for SAML 2 AuthenticationRequest.
44  */
45 public class AuthenticationRequestBrowserPost extends AbstractAuthenticationRequest {
46     
47     /** Class logger. */
48     private static final Logger log = Logger.getLogger(AuthenticationRequestBrowserPost.class);
49     
50     /** SAML 2 Profile ID. */
51     protected static final String PROFILE_ID = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser";
52     
53     /** SAML 2 Binding URI. */
54     protected static final String BINDING_URI = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
55     
56     /** Constructor. */
57     public AuthenticationRequestBrowserPost() {
58         super();
59     }
60     
61     /** {@inheritDoc} */
62     public String getProfileId() {
63         return PROFILE_ID;
64     }
65     
66     /** {@inheritDoc} */
67     public void processRequest(final ProfileRequest<ServletRequest> request,
68             final ProfileResponse<ServletResponse> response)
69             throws ProfileException {
70         
71         // Only http servlets are supported for now.
72         if (!(request.getRawRequest() instanceof HttpServletRequest)) {
73             log.error("Received a non-HTTP request");
74             throw new ProfileException("Received a non-HTTP request");
75         }
76         
77         HttpServletRequest httpRequest = (HttpServletRequest) request.getRawRequest();
78         HttpServletResponse httpResponse = (HttpServletResponse) response.getRawResponse();
79         HttpSession httpSession = httpRequest.getSession();
80         
81         AuthnRequest authnRequest = null;
82         Issuer issuer = null;
83         MetadataProvider metadataProvider = null;
84         String providerId = null;
85         RelyingPartyConfiguration relyingParty = null;
86         SSOConfiguration ssoConfig = null;
87         SPSSODescriptor spDescriptor = null;
88         
89         
90         // If the user hasn't been authenticated, validate the AuthnRequest
91         // and redirect to AuthenticationManager to authenticate the user.
92         if (!hasUserAuthenticated(httpSession)) {
93             
94             try {
95                 // decode the AuthnRequest
96                 MessageDecoder<ServletRequest> decoder = getMessageDecoderFactory().getMessageDecoder(BINDING_URI);
97                 if (decoder == null) {
98                     log.error("SAML 2 AuthnRequest: No MessageDecoder registered for " + BINDING_URI);
99                     throw new ProfileException("SAML 2 AuthnRequest: No MessageDecoder registered for " + BINDING_URI);
100                 }
101                 
102                 decoder.setMetadataProvider(getRelyingPartyConfigurationManager().getMetadataProvider());
103                 populateMessageDecoder(decoder);
104                 decoder.decode();
105                 
106                 SAMLObject samlObject = decoder.getSAMLMessage();
107                 if (!(samlObject instanceof AuthnRequest)) {
108                     log.error("SAML 2 AuthnRequest: Received message is not a SAML 2 Authentication Request");
109                     throw new ProfileException("SAML 2 AuthnRequest: Received message is not a SAML 2 Authentication Request");
110                 }
111                 
112                 authnRequest = (AuthnRequest) samlObject;
113                 issuer = (Issuer) decoder.getSecurityPolicy().getIssuer();
114                 
115                 // check that we have metadata for the RP
116                 metadataProvider = getRelyingPartyConfigurationManager().getMetadataProvider();
117                 providerId = issuer.getSPProvidedID();
118                 relyingParty = getRelyingPartyConfigurationManager().getRelyingPartyConfiguration(providerId);
119                 ssoConfig = (SSOConfiguration) relyingParty.getProfileConfigurations().get(SSOConfiguration.PROFILE_ID);
120                 
121                 try {
122                     spDescriptor = metadataProvider.getEntityDescriptor(
123                             relyingParty.getRelyingPartyId()).getSPSSODescriptor(
124                             SAML20_PROTOCOL_URI);
125                 } catch (MetadataProviderException ex) {
126                     log.error(
127                             "SAML 2 Authentication Request: Unable to locate metadata for SP "
128                             + providerId + " for protocol "
129                             + SAML20_PROTOCOL_URI, ex);
130                     throw new ProfileException("SAML 2 Authentication Request: Unable to locate metadata for SP "
131                             + providerId + " for protocol "
132                             + SAML20_PROTOCOL_URI, ex);
133                 }
134                 
135                 if (spDescriptor == null) {
136                     log.error("SAML 2 Authentication Request: Unable to locate metadata for SP "
137                             + providerId
138                             + " for protocol "
139                             + SAML20_PROTOCOL_URI);
140                     throw new ProfileException("SAML 2 Authentication Request: Unable to locate metadata for SP "
141                             + providerId
142                             + " for protocol "
143                             + SAML20_PROTOCOL_URI);
144                 }
145                 
146                 verifyAuthnRequest(authnRequest, issuer, relyingParty, httpSession);
147                 storeRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
148                 authenticateUser(authnRequest, httpSession, httpRequest, httpResponse);
149                 
150             } catch (BindingException ex) {
151                 log.error("SAML 2 Authentication Request: Unable to decode SAML 2 Authentication Request", ex);
152                 throw new ProfileException(
153                         "SAML 2 Authentication Request: Unable to decode SAML 2 Authentication Request", ex);
154             } catch (AuthenticationRequestException ex) { 
155                 // XXX: todo: generate and send the error, with a REQUEST_URI
156                 // failure.
157             } 
158         }
159         
160         // The user has already been authenticated,
161         // so generate an AuthenticationStatement.
162         retrieveRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
163         Response samlResponse = evaluateRequest(authnRequest, issuer, httpSession, relyingParty, ssoConfig, spDescriptor);
164         encodeResponse(BINDING_URI, response, samlResponse, relyingParty, ssoConfig, spDescriptor);
165     }
166 }