}
SAMLAttributeQuery attributeQuery = (SAMLAttributeQuery) samlRequest.getQuery();
- //Identify a Relying Party
- relyingParty = targetMapper.getRelyingParty(attributeQuery.getResource());
+ if (!fromLegacyProvider(req)) {
+ log.info("Remote provider has identified itself as: (" + attributeQuery.getResource() + ").");
+ }
//This is the requester name that will be passed to subsystems
- String effectiveName = getEffectiveName(req, relyingParty);
+ String effectiveName = null;
+
+ String credentialName = getCredentialName(req);
+ if (credentialName == null || credentialName.toString().equals("")) {
+ log.info("Request is from an unauthenticated service provider.");
+ } else {
+
+ //Identify a Relying Party
+ relyingParty = targetMapper.getRelyingParty(attributeQuery.getResource());
+
+ try {
+ effectiveName = getEffectiveName(req, relyingParty);
+ } catch (InvalidProviderCredentialException ipc) {
+ sendFailure(resp, samlRequest, new SAMLException(SAMLException.RESPONDER,
+ "Invalid credentials for request."));
+ return;
+ }
+ }
if (effectiveName == null) {
log.debug("Using default Relying Party for unauthenticated provider.");
}
} else {
if (fromLegacyProvider(req)) {
- transactionLog.info("Attribute assertion issued to legacy provider (" + effectiveName + ") on behalf of principal (" + principal.getName() + ").");
+ transactionLog.info("Attribute assertion issued to legacy provider (" + effectiveName
+ + ") on behalf of principal (" + principal.getName() + ").");
} else {
- transactionLog.info("Attribute assertion issued to provider (" + effectiveName + ") on behalf of principal (" + principal.getName() + ").");
+ transactionLog.info("Attribute assertion issued to provider (" + effectiveName
+ + ") on behalf of principal (" + principal.getName() + ").");
}
}
}
}
- protected String getEffectiveName(HttpServletRequest req, AARelyingParty relyingParty) throws AAException {
+ protected String getEffectiveName(HttpServletRequest req, AARelyingParty relyingParty)
+ throws InvalidProviderCredentialException {
String credentialName = getCredentialName(req);
if (credentialName == null || credentialName.toString().equals("")) {
return legacyName;
} else {
+
+ //See if we have metadata for this provider
+ Provider provider = lookup(relyingParty.getProviderId());
+ if (provider == null) {
+ log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
+ log.info("Treating remote provider as unauthenticated.");
+ return null;
+ }
+
//Make sure that the suppplied credential is valid for the selected relying party
- if (isValidCredential(relyingParty, credentialName.toString())) {
+ if (isValidCredential(provider, credentialName.toString())) {
log.info("Supplied credential validated for this provider.");
log.info("Request from service provider: (" + relyingParty.getProviderId() + ").");
return relyingParty.getProviderId();
} else {
log.error("Supplied credential (" + credentialName.toString() + ") is NOT valid for provider ("
+ relyingParty.getProviderId() + ").");
- throw new AAException("Invalid credential.");
+ throw new InvalidProviderCredentialException("Invalid credential.");
}
}
}
}
}
- protected boolean isValidCredential(RelyingParty relyingParty, String credentialName) throws AAException {
-
- Provider provider = lookup(relyingParty.getProviderId());
- if (provider == null) {
- log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
- throw new AAException("Request is from an unkown Service Provider.");
- }
+ protected boolean isValidCredential(Provider provider, String credentialName) {
ProviderRole[] roles = provider.getRoles();
if (roles.length == 0) {
return null;
}
+ class InvalidProviderCredentialException extends Exception {
+
+ public InvalidProviderCredentialException(String message) {
+ super(message);
+ }
+ }
+
}
protected RelyingParty getRelyingPartyImpl(String providerIdFromTarget) {
+ //Null request, send the default
+ if (providerIdFromTarget == null) {
+ RelyingParty relyingParty = getDefaultRelyingParty();
+ log.info("Using default Relying Party: (" + relyingParty.getName() + ").");
+ return new UnknownProviderWrapper(relyingParty, providerIdFromTarget);
+ }
+
//Look for a configuration for the specific relying party
if (relyingParties.containsKey(providerIdFromTarget)) {
log.info("Found Relying Party for (" + providerIdFromTarget + ").");
return new RelyingPartyGroupWrapper(groupParty, providerIdFromTarget);
}
- //OK, just send the default
+ //OK, we can't find it... just send the default
+ RelyingParty relyingParty = getDefaultRelyingParty();
log.info("Could not locate Relying Party configuration for (" + providerIdFromTarget
- + "). Using default Relying Party.");
- return new UnknownProviderWrapper(getDefaultRelyingPatry(), providerIdFromTarget);
+ + "). Using default Relying Party: (" + relyingParty.getName() + ").");
+ return new UnknownProviderWrapper(relyingParty, providerIdFromTarget);
}
private RelyingParty findRelyingPartyByGroup(String providerIdFromTarget) {
return null;
}
- protected RelyingParty getDefaultRelyingPatry() {
+ public RelyingParty getDefaultRelyingParty() {
//If there is no explicit default, pick the single configured Relying
// Party
*/
public HSRelyingParty getRelyingParty(String providerIdFromTarget) {
- //If the target did not send a Provider Id, then assume it is a Shib
- // 1.1 or older target
if (providerIdFromTarget == null || providerIdFromTarget.equals("")) {
- log.info("Request is from legacy shib target. Selecting default Relying Party.");
- return new LegacyWrapper((HSRelyingParty) getDefaultRelyingPatry());
+ RelyingParty relyingParty = getDefaultRelyingParty();
+ log.info("Selecting default Relying Party: (" + relyingParty.getName() + ").");
+ return new NoMetadataWrapper((HSRelyingParty) relyingParty);
}
return (HSRelyingParty) getRelyingPartyImpl(providerIdFromTarget);
}
+ /**
+ * Returns the relying party for a legacy provider(the default)
+ */
+ public HSRelyingParty getLegacyRelyingParty() {
+
+ RelyingParty relyingParty = getDefaultRelyingParty();
+ log.info("Request is from legacy shib target. Selecting default Relying Party: (" + relyingParty.getName()
+ + ").");
+ return new LegacyWrapper((HSRelyingParty) relyingParty);
+
+ }
+
protected ShibbolethOriginConfig getOriginConfig() {
return configuration;
}
}
}
+ /**
+ * Relying party wrapper for providers for which we have no metadata
+ *
+ * @author Walter Hoehn
+ */
+ class NoMetadataWrapper extends UnknownProviderWrapper implements HSRelyingParty {
+
+ NoMetadataWrapper(HSRelyingParty wrapped) {
+ super(wrapped, null);
+ }
+
+ public String getHSNameFormatId() {
+ return ((HSRelyingParty) wrapped).getHSNameFormatId();
+ }
+
+ public URL getAAUrl() {
+ return ((HSRelyingParty) wrapped).getAAUrl();
+ }
+
+ public URI getDefaultAuthMethod() {
+ return ((HSRelyingParty) wrapped).getDefaultAuthMethod();
+ }
+ }
+
}
import org.opensaml.SAMLBinding;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLResponse;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import sun.misc.BASE64Decoder;
-
import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
import edu.internet2.middleware.shibboleth.common.Credentials;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
import edu.internet2.middleware.shibboleth.common.OriginConfig;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
import edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException;
import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
log.error("Name Identifier mapping could not be loaded: " + e);
}
}
-
+
//Load metadata
itemElements = originConfig.getDocumentElement().getElementsByTagNameNS(
ShibbolethOriginConfig.originConfigNamespace, "FederationProvider");
throw new ShibbolethConfigurationException("Could not load origin configuration.");
}
-
}
public void init() throws ServletException {
req.setAttribute("shire", req.getParameter("shire"));
req.setAttribute("target", req.getParameter("target"));
- HSRelyingParty relyingParty = targetMapper.getRelyingParty(req.getParameter("providerId"));
-
//Get the authN info
String username = configuration.getAuthHeaderName().equalsIgnoreCase("REMOTE_USER")
? req.getRemoteUser()
: req.getHeader(configuration.getAuthHeaderName());
+ //If the target did not send a Provider Id, then assume it is a Shib
+ // 1.1 or older target
+ HSRelyingParty relyingParty = null;
+ String remoteProviderId = req.getParameter("providerId");
+ if (remoteProviderId == null) {
+ relyingParty = targetMapper.getLegacyRelyingParty();
+ } else {
+ log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
+ relyingParty = targetMapper.getRelyingParty(req.getParameter("providerId"));
+ }
+
//Make sure that the selected relying party configuration is appropriate for this
//acceptance URL
if (!relyingParty.isLegacyProvider()) {
- if (isValidAssertionConsumerURL(relyingParty, req.getParameter("shire"))) {
- log.info("Supplied consumer URL validated for this provider.");
+
+ Provider provider = lookup(relyingParty.getProviderId());
+ if (provider == null) {
+ log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
+ relyingParty = targetMapper.getRelyingParty(null);
+
} else {
- log.error("Supplied assertion consumer service URL (" + req.getParameter("shire")
- + ") is NOT valid for provider (" + relyingParty.getProviderId() + ").");
- throw new InvalidClientDataException("Invalid assertion consumer service URL.");
+
+ if (isValidAssertionConsumerURL(provider, req.getParameter("shire"))) {
+ log.info("Supplied consumer URL validated for this provider.");
+ } else {
+ log.error("Supplied assertion consumer service URL (" + req.getParameter("shire")
+ + ") is NOT valid for provider (" + relyingParty.getProviderId() + ").");
+ throw new InvalidClientDataException("Invalid assertion consumer service URL.");
+ }
}
}
if (relyingParty.isLegacyProvider()) {
//For compatibility with pre-1.2 shibboleth targets, include a pointer to the AA
- SAMLAuthorityBinding binding = new SAMLAuthorityBinding(SAMLBinding.SAML_SOAP_HTTPS, relyingParty.getAAUrl()
- .toString(), new QName(org.opensaml.XML.SAMLP_NS, "AttributeQuery"));
- return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType, new Date(System
- .currentTimeMillis()), Collections.singleton(binding)).toBase64();
-
+ SAMLAuthorityBinding binding = new SAMLAuthorityBinding(SAMLBinding.SAML_SOAP_HTTPS, relyingParty
+ .getAAUrl().toString(), new QName(org.opensaml.XML.SAMLP_NS, "AttributeQuery"));
+ return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType,
+ new Date(System.currentTimeMillis()), Collections.singleton(binding)).toBase64();
+
} else {
- return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType, new Date(System
- .currentTimeMillis()), null).toBase64();
+ return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType,
+ new Date(System.currentTimeMillis()), null).toBase64();
}
}
}
}
- protected boolean isValidAssertionConsumerURL(RelyingParty relyingParty, String shireURL)
- throws InvalidClientDataException {
-
- Provider provider = lookup(relyingParty.getProviderId());
- if (provider == null) {
- log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
- throw new InvalidClientDataException("Request is from an unkown Service Provider.");
- }
+ protected boolean isValidAssertionConsumerURL(Provider provider, String shireURL) throws InvalidClientDataException {
ProviderRole[] roles = provider.getRoles();
if (roles.length == 0) {
projects / java-idp.git / commitdiff