make it build again
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / idp / profile / saml2 / AuthenticationRequestBrowserPost.java
1 /*
2  * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
18
19 import javax.servlet.ServletRequest;
20 import javax.servlet.ServletResponse;
21 import javax.servlet.http.HttpServletRequest;
22 import javax.servlet.http.HttpServletResponse;
23 import javax.servlet.http.HttpSession;
24
25 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
26 import edu.internet2.middleware.shibboleth.common.profile.ProfileRequest;
27 import edu.internet2.middleware.shibboleth.common.profile.ProfileResponse;
28 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
29 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
30
31 import org.apache.log4j.Logger;
32 import org.opensaml.common.SAMLObject;
33 import org.opensaml.common.binding.BindingException;
34 import org.opensaml.common.binding.decoding.MessageDecoder;
35 import org.opensaml.saml2.core.AuthnRequest;
36 import org.opensaml.saml2.core.Issuer;
37 import org.opensaml.saml2.core.Response;
38 import org.opensaml.saml2.metadata.SPSSODescriptor;
39 import org.opensaml.saml2.metadata.provider.MetadataProvider;
40 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
41
42 /**
43  * Browser POST binding for SAML 2 AuthenticationRequest.
44  */
45 public class AuthenticationRequestBrowserPost extends AbstractAuthenticationRequest {
46     
47     /** Class logger. */
48     private static final Logger log = Logger.getLogger(AuthenticationRequestBrowserPost.class);
49     
50     /** SAML 2 Profile ID. */
51     protected static final String PROFILE_ID = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser";
52     
53     /** SAML 2 Binding URI. */
54     protected static final String BINDING_URI = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
55     
56     /** Constructor. */
57     public AuthenticationRequestBrowserPost() {
58         super();
59     }
60     
61     /** {@inheritDoc} */
62     public String getProfileId() {
63         return PROFILE_ID;
64     }
65     
66     /** {@inheritDoc} */
67     public void processRequest(final ProfileRequest<ServletRequest> request,
68             final ProfileResponse<ServletResponse> response)
69             throws ProfileException {
70         
71         // Only http servlets are supported for now.
72         if (!(request.getRawRequest() instanceof HttpServletRequest)) {
73             log.error("Received a non-HTTP request");
74             throw new ProfileException("Received a non-HTTP request");
75         }
76         
77         HttpServletRequest httpRequest = (HttpServletRequest) request.getRawRequest();
78         HttpServletResponse httpResponse = (HttpServletResponse) response.getRawResponse();
79         HttpSession httpSession = httpRequest.getSession();
80         
81         AuthnRequest authnRequest = null;
82         String issuer = null;
83         MetadataProvider metadataProvider = null;
84         RelyingPartyConfiguration relyingParty = null;
85         SSOConfiguration ssoConfig = null;
86         SPSSODescriptor spDescriptor = null;
87         
88         
89         // If the user hasn't been authenticated, validate the AuthnRequest
90         // and redirect to AuthenticationManager to authenticate the user.
91         if (!hasUserAuthenticated(httpSession)) {
92             
93             try {
94                 // decode the AuthnRequest
95                 MessageDecoder<ServletRequest> decoder = getMessageDecoderFactory().getMessageDecoder(BINDING_URI);
96                 if (decoder == null) {
97                     log.error("SAML 2 AuthnRequest: No MessageDecoder registered for " + BINDING_URI);
98                     throw new ProfileException("SAML 2 AuthnRequest: No MessageDecoder registered for " + BINDING_URI);
99                 }
100                 
101                 decoder.setMetadataProvider(getMetadataProvider());
102                 populateMessageDecoder(decoder);
103                 decoder.decode();
104                 
105                 SAMLObject samlObject = decoder.getSAMLMessage();
106                 if (!(samlObject instanceof AuthnRequest)) {
107                     log.error("SAML 2 AuthnRequest: Received message is not a SAML 2 Authentication Request");
108                     throw new ProfileException("SAML 2 AuthnRequest: Received message is not a SAML 2 Authentication Request");
109                 }
110                 
111                 authnRequest = (AuthnRequest) samlObject;
112                 issuer = decoder.getSecurityPolicy().getIssuer();
113                 
114                 // check that we have metadata for the RP
115                 metadataProvider = getRelyingPartyConfigurationManager().getMetadataProvider();
116                 relyingParty = getRelyingPartyConfigurationManager().getRelyingPartyConfiguration(issuer);
117                 ssoConfig = (SSOConfiguration) relyingParty.getProfileConfigurations().get(SSOConfiguration.PROFILE_ID);
118                 
119                 try {
120                     spDescriptor = metadataProvider.getEntityDescriptor(
121                             relyingParty.getRelyingPartyId()).getSPSSODescriptor(
122                             SAML20_PROTOCOL_URI);
123                 } catch (MetadataProviderException ex) {
124                     log.error(
125                             "SAML 2 Authentication Request: Unable to locate metadata for SP "
126                             + issuer + " for protocol " + SAML20_PROTOCOL_URI, ex);
127                     throw new ProfileException("SAML 2 Authentication Request: Unable to locate metadata for SP "
128                             + issuer + " for protocol " + SAML20_PROTOCOL_URI, ex);
129                 }
130                 
131                 if (spDescriptor == null) {
132                     log.error("SAML 2 Authentication Request: Unable to locate metadata for SP "
133                             + issuer + " for protocol " + SAML20_PROTOCOL_URI);
134                     throw new ProfileException("SAML 2 Authentication Request: Unable to locate metadata for SP "
135                             + issuer + " for protocol " + SAML20_PROTOCOL_URI);
136                 }
137                 
138                 verifyAuthnRequest(authnRequest, issuer, relyingParty, httpSession);
139                 storeRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
140                 authenticateUser(authnRequest, httpSession, httpRequest, httpResponse);
141                 
142             } catch (BindingException ex) {
143                 log.error("SAML 2 Authentication Request: Unable to decode SAML 2 Authentication Request", ex);
144                 throw new ProfileException(
145                         "SAML 2 Authentication Request: Unable to decode SAML 2 Authentication Request", ex);
146             } catch (AuthenticationRequestException ex) { 
147                 // XXX: todo: generate and send the error, with a REQUEST_URI
148                 // failure.
149             } 
150         }
151         
152         // The user has already been authenticated,
153         // so generate an AuthenticationStatement.
154         retrieveRequestData(httpSession, authnRequest, issuer, relyingParty, ssoConfig, spDescriptor);
155         Response samlResponse = evaluateRequest(authnRequest, issuer, httpSession, relyingParty, ssoConfig, spDescriptor);
156         encodeResponse(BINDING_URI, response, samlResponse, relyingParty, ssoConfig, spDescriptor);
157     }
158 }