import edu.internet2.middleware.shibboleth.aa.arp.ArpException;
import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException;
+import edu.internet2.middleware.shibboleth.common.AuditLevel;
import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
import edu.internet2.middleware.shibboleth.common.ShibResource;
import edu.internet2.middleware.shibboleth.hs.HandleRepository;
return properties;
}
- public void doPost(HttpServletRequest req, HttpServletResponse resp)
- throws ServletException, IOException {
+ public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
MDC.put("serviceId", "[AA] " + new SAMLIdentifier().toString());
MDC.put("remoteAddr", req.getRemoteAddr());
try {
saml =
new AASaml(
- configuration.getProperty(
- "edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName"),
+ configuration.getProperty("edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName"),
configuration.getProperty("edu.internet2.middleware.shibboleth.audiences").replaceAll(
"\\s",
"").split(
// for testing
principal = new AuthNPrincipal("test-handle");
} else {
- principal = handleRepository.getPrincipal(saml.getHandle(),saml.getFormat());
+ principal = handleRepository.getPrincipal(saml.getHandle(), saml.getFormat());
}
URL resource = null;
saml.respond(resp, attrs, null);
log.info("Successfully responded about " + principal.getName());
+ if (attrs.size() == 0) {
+ log.log(
+ AuditLevel.AUDIT,
+ "Attribute assertion issued to SHAR ("
+ + saml.getShar()
+ + ") on behalf of principal ("
+ + principal.getName()
+ + "). No attributes released.");
+ } else {
+ Iterator iterator = attrs.iterator();
+ StringBuffer attributeList = new StringBuffer();
+ while (iterator.hasNext()) {
+ attributeList.append(((SAMLAttribute) iterator.next()).getName());
+ }
+ log.log(
+ AuditLevel.AUDIT,
+ "Attribute assertion issued to SHAR ("
+ + saml.getShar()
+ + ") on behalf of principal ("
+ + principal.getName()
+ + "). Attributes released: ("
+ + attributeList
+ + ").");
+ }
+
} catch (InvalidHandleException e) {
log.info("Could not associate the Attribute Query Handle with a principal: " + e);
try {
if (configuration
.getProperty("edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors", "false")
.equals("true")) {
- saml.fail(
- resp,
- new SAMLException(SAMLException.RESPONDER, "General error processing request.", e));
+ saml.fail(resp, new SAMLException(SAMLException.RESPONDER, "General error processing request.", e));
} else {
- saml.fail(
- resp,
- new SAMLException(SAMLException.RESPONDER, "General error processing request."));
+ saml.fail(resp, new SAMLException(SAMLException.RESPONDER, "General error processing request."));
}
return;
} catch (Exception ee) {
--- /dev/null
+/*
+ * The Shibboleth License, Version 1.
+ * Copyright (c) 2002
+ * University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved
+ *
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution, if any, must include
+ * the following acknowledgment: "This product includes software developed by
+ * the University Corporation for Advanced Internet Development
+ * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
+ * may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear.
+ *
+ * Neither the name of Shibboleth nor the names of its contributors, nor
+ * Internet2, nor the University Corporation for Advanced Internet Development,
+ * Inc., nor UCAID may be used to endorse or promote products derived from this
+ * software without specific prior written permission. For written permission,
+ * please contact shibboleth@shibboleth.org
+ *
+ * Products derived from this software may not be called Shibboleth, Internet2,
+ * UCAID, or the University Corporation for Advanced Internet Development, nor
+ * may Shibboleth appear in their name, without prior written permission of the
+ * University Corporation for Advanced Internet Development.
+ *
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
+ * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
+ * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
+ * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package edu.internet2.middleware.shibboleth.common;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Priority;
+
+/**
+ * Custom Log4J <code>Level</code> implementation for creating Shibboleth
+ * Audit logs.
+ *
+ * @author Walter Hoehn
+ *
+ */
+public class AuditLevel extends Level {
+
+ final static int AUDIT_INT = OFF_INT;
+ //TODO find out what syslog level should be used
+ final static public Level AUDIT = new AuditLevel(AUDIT_INT, "AUDIT", 0);
+
+ protected AuditLevel(int level, String levelStr, int syslogEquivalent) {
+ super(level, levelStr, syslogEquivalent);
+ }
+
+ //Effectively pulls this Level out of the hierarchy
+ public boolean isGreaterOrEqual(Priority r) {
+ if (r instanceof AuditLevel) {
+ return true;
+ }
+ return false;
+ }
+
+ public static Level toLevel(int val, Level defaultLevel) {
+
+ if (val == AUDIT_INT) {
+ return AUDIT;
+ }
+ return Level.toLevel(val, defaultLevel);
+ }
+
+ public static Level toLevel(String sArg, Level defaultLevel) {
+
+ if (sArg.equalsIgnoreCase("AUDIT")) {
+ return AUDIT;
+ }
+ return Level.toLevel(sArg, defaultLevel);
+ }
+
+ /**
+ @deprecated This method will be removed with no replacement.
+ */
+ public static Priority[] getAllPossiblePriorities() {
+ return new Priority[] { Priority.FATAL, Priority.ERROR, Level.WARN, Priority.INFO, Priority.DEBUG, AUDIT };
+ }
+
+}
import org.opensaml.SAMLResponse;
import sun.misc.BASE64Decoder;
+import edu.internet2.middleware.shibboleth.common.AuditLevel;
import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
import edu.internet2.middleware.shibboleth.common.ShibPOSTProfileFactory;
String header = configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.username");
String username = header.equalsIgnoreCase("REMOTE_USER") ? req.getRemoteUser() : req.getHeader(header);
- StringBuffer format = new StringBuffer();
+ StringBuffer format = new StringBuffer();
String handle = handleRepository.getHandle(new AuthNPrincipal(username), format);
log.info("Issued Handle (" + handle + ") to (" + username + ")");
byte[] buf =
generateAssertion(
handle,
- format.toString(),
+ format.toString(),
req.getParameter("shire"),
req.getRemoteAddr(),
configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod"));
+ log.log(
+ AuditLevel.AUDIT,
+ "Authentication assertion issued to SHIRE ("
+ + req.getParameter("shire")
+ + ") on behalf of principal ("
+ + username
+ + ") for resource ("
+ + req.getParameter("target")
+ + "). Attribue Query Handle: ("
+ + handle
+ + ").");
+
createForm(req, res, buf);
} catch (HandleRepositoryException ex) {