Implement audience/condition tests
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / serviceprovider / AssertionConsumerServlet.java
index 6214986..8c0e33f 100644 (file)
@@ -48,8 +48,8 @@
  */
 package edu.internet2.middleware.shibboleth.serviceprovider;
 
-import java.io.File;
 import java.io.IOException;
+import java.util.Iterator;
 
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -59,22 +59,14 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.opensaml.SAMLException;
+import org.apache.log4j.Logger;
+import org.opensaml.SAMLAudienceRestrictionCondition;
 import org.opensaml.SAMLBrowserProfile;
+import org.opensaml.SAMLCondition;
+import org.opensaml.SAMLException;
 import org.opensaml.SAMLResponse;
 import org.opensaml.SAMLBrowserProfile.BrowserProfileResponse;
-import org.w3c.dom.Element;
-import org.apache.log4j.FileAppender;
-import org.apache.log4j.Layout;
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.apache.log4j.PatternLayout;
-import org.apache.xml.security.Init;
-
 import x0.maceShibbolethTargetConfig1.SessionsDocument.Sessions;
-
-import edu.internet2.middleware.commons.log4j.ThreadLocalAppender;
-import edu.internet2.middleware.shibboleth.common.Credentials;
 import edu.internet2.middleware.shibboleth.common.ShibBrowserProfile;
 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
 import edu.internet2.middleware.shibboleth.resource.AuthenticationFilter;
@@ -87,13 +79,10 @@ import edu.internet2.middleware.shibboleth.serviceprovider.ServiceProviderConfig
  */
 public class AssertionConsumerServlet extends HttpServlet {
 
-       private static Logger log = null;
+       private static Logger log = Logger.getLogger(AssertionConsumerServlet.class.getName());
        
        private static ServiceProviderContext context = ServiceProviderContext.getInstance();
        
-       private Element                 configuration = null;
-       private Credentials             credentials = null;
-       
        public static final String SESSIONPARM =
            "ShibbolethSessionId";
        
@@ -102,43 +91,10 @@ public class AssertionConsumerServlet extends HttpServlet {
                super.init();
                ServletContext servletContext = this.getServletContext();
                
-               Init.init();
-
-               // Initialize logging specially
-               Logger targetLogger = Logger.getLogger("edu.internet2.middleware");
-               Logger samlLogger = Logger.getLogger("org.opensaml");
-               File diagdir = new File(servletContext.getRealPath("/diagnose"));
-               diagdir.mkdirs();
-               String logname = servletContext.getRealPath("/diagnose/initialize.log");
-               Layout initLayout = new PatternLayout("%d{HH:mm} %-5p %m%n");
-               
-               try {
-            FileAppender initLogAppender = new FileAppender(initLayout,logname);
-            ThreadLocalAppender threadAppender = new ThreadLocalAppender();
-            threadAppender.setLayout(initLayout);
-            targetLogger.setAdditivity(false);
-            targetLogger.addAppender(initLogAppender);
-            targetLogger.addAppender(threadAppender);
-            targetLogger.setLevel(Level.DEBUG);
-            samlLogger.addAppender(threadAppender);
-            samlLogger.setLevel(Level.DEBUG);
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-               
-/*             ConsoleAppender rootAppender = new ConsoleAppender();
-               rootAppender.setWriter(new PrintWriter(System.out));
-               rootAppender.setName("stdout");
-               targetLogger.addAppender(rootAppender);
-
-               // rootAppender.setLayout(new PatternLayout("%-5p %-41X{serviceId} %d{ISO8601} (%c:%L) - %m%n"));
-               // Logger.getRootLogger().setLevel((Level) Level.DEBUG);
-               Logger.getRootLogger().setLevel((Level) Level.INFO);
-               rootAppender.setLayout(new PatternLayout("%d{ISO8601} %-5p %-41X{serviceId} - %m%n"));
-*/
-               log = Logger.getLogger(AssertionConsumerServlet.class.getName());
-               
+               // Note: the ServletContext should have been initialized by the Listener
                ServletContextInitializer.initServiceProvider(servletContext);
+               
+               // Establish linkage between the SP context and the RM Filter class
                AuthenticationFilter.setFilterSupport(new FilterSupportImpl());
        }
 
@@ -164,7 +120,7 @@ public class AssertionConsumerServlet extends HttpServlet {
             String ipaddr = request.getRemoteAddr();
             
             // URL of Resource that triggered authorization
-            // XXX: I added support to the profile for extracting TARGET, but
+            // I added support to the profile for extracting TARGET, but
             // it's not too critical in Java since you can grab it easily anyway.
             // Might be better in the 2.0 future though, since the bindings get trickier.
             String target = request.getParameter("TARGET");
@@ -254,8 +210,6 @@ public class AssertionConsumerServlet extends HttpServlet {
         String sessionid=null;
         StringBuffer pproviderId = // Get back IdP Entity name from SAML
             new StringBuffer();
-        String[] audiences = new String[1];
-        audiences[0]=providerId;
         
         ShibBrowserProfile profile = new ShibBrowserProfile(applicationId);
         BrowserProfileResponse samldata = profile.receive(
@@ -268,7 +222,30 @@ public class AssertionConsumerServlet extends HttpServlet {
                 1
         );
         
-        // TODO: Audience/condition checking is now the profile caller's job.
+        Iterator conditions = samldata.assertion.getConditions();
+        while (conditions.hasNext()) {
+            SAMLCondition cond =
+                (SAMLCondition)conditions.next();
+            
+            if (cond instanceof SAMLAudienceRestrictionCondition) {
+                SAMLAudienceRestrictionCondition audienceCondition =
+                    (SAMLAudienceRestrictionCondition) cond;
+                Iterator audiences = audienceCondition.getAudiences();
+                if (audiences==null)
+                    continue; // probably invalid
+                boolean matched = false;
+                while (audiences.hasNext()) {
+                    String audienceString = (String) audiences.next();
+                    if (audienceString.equals(providerId)) {
+                        matched=true;
+                        break;
+                    }
+                }
+                if (!matched) {
+                    throw new SAMLException("Assertion restricted to other audiences.");
+                }
+            }
+        }
         
         // The Authentication Assertion gets placed in a newly created
         // Session object. Later, someone will get an Attribute Assertion
@@ -295,8 +272,7 @@ public class AssertionConsumerServlet extends HttpServlet {
 
     protected void doGet(HttpServletRequest arg0, HttpServletResponse arg1)
        throws ServletException, IOException {
-        // TODO Auto-generated method stub
-        super.doGet(arg0, arg1);
+       // Currently the Assertion Consumer does not receive a GET
     }