Added support for using the default relying party in cases where no metadata is avail...
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 23 Apr 2004 19:37:05 +0000 (19:37 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 23 Apr 2004 19:37:05 +0000 (19:37 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1006 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/aa/AAServlet.java
src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/hs/HSServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/hs/HandleServlet.java

index 69eb8bd..dc1b214 100755 (executable)
@@ -239,11 +239,29 @@ public class AAServlet extends TargetFederationComponent {
                        }
                        SAMLAttributeQuery attributeQuery = (SAMLAttributeQuery) samlRequest.getQuery();
 
-                       //Identify a Relying Party
-                       relyingParty = targetMapper.getRelyingParty(attributeQuery.getResource());
+                       if (!fromLegacyProvider(req)) {
+                               log.info("Remote provider has identified itself as: (" + attributeQuery.getResource() + ").");
+                       }
 
                        //This is the requester name that will be passed to subsystems
-                       String effectiveName = getEffectiveName(req, relyingParty);
+                       String effectiveName = null;
+
+                       String credentialName = getCredentialName(req);
+                       if (credentialName == null || credentialName.toString().equals("")) {
+                               log.info("Request is from an unauthenticated service provider.");
+                       } else {
+
+                               //Identify a Relying Party
+                               relyingParty = targetMapper.getRelyingParty(attributeQuery.getResource());
+
+                               try {
+                                       effectiveName = getEffectiveName(req, relyingParty);
+                               } catch (InvalidProviderCredentialException ipc) {
+                                       sendFailure(resp, samlRequest, new SAMLException(SAMLException.RESPONDER,
+                                       "Invalid credentials for request."));
+                                       return;
+                               }
+                       }
 
                        if (effectiveName == null) {
                                log.debug("Using default Relying Party for unauthenticated provider.");
@@ -343,9 +361,11 @@ public class AAServlet extends TargetFederationComponent {
                                }
                        } else {
                                if (fromLegacyProvider(req)) {
-                                       transactionLog.info("Attribute assertion issued to legacy provider (" + effectiveName + ") on behalf of principal (" + principal.getName() + ").");
+                                       transactionLog.info("Attribute assertion issued to legacy provider (" + effectiveName
+                                                       + ") on behalf of principal (" + principal.getName() + ").");
                                } else {
-                                       transactionLog.info("Attribute assertion issued to provider (" + effectiveName + ") on behalf of principal (" + principal.getName() + ").");
+                                       transactionLog.info("Attribute assertion issued to provider (" + effectiveName
+                                                       + ") on behalf of principal (" + principal.getName() + ").");
                                }
                        }
 
@@ -371,7 +391,8 @@ public class AAServlet extends TargetFederationComponent {
                }
        }
 
-       protected String getEffectiveName(HttpServletRequest req, AARelyingParty relyingParty) throws AAException {
+       protected String getEffectiveName(HttpServletRequest req, AARelyingParty relyingParty)
+                       throws InvalidProviderCredentialException {
 
                String credentialName = getCredentialName(req);
                if (credentialName == null || credentialName.toString().equals("")) {
@@ -387,15 +408,24 @@ public class AAServlet extends TargetFederationComponent {
                                return legacyName;
 
                        } else {
+
+                               //See if we have metadata for this provider
+                               Provider provider = lookup(relyingParty.getProviderId());
+                               if (provider == null) {
+                                       log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
+                                       log.info("Treating remote provider as unauthenticated.");
+                                       return null;
+                               }
+
                                //Make sure that the suppplied credential is valid for the selected relying party
-                               if (isValidCredential(relyingParty, credentialName.toString())) {
+                               if (isValidCredential(provider, credentialName.toString())) {
                                        log.info("Supplied credential validated for this provider.");
                                        log.info("Request from service provider: (" + relyingParty.getProviderId() + ").");
                                        return relyingParty.getProviderId();
                                } else {
                                        log.error("Supplied credential (" + credentialName.toString() + ") is NOT valid for provider ("
                                                        + relyingParty.getProviderId() + ").");
-                                       throw new AAException("Invalid credential.");
+                                       throw new InvalidProviderCredentialException("Invalid credential.");
                                }
                        }
                }
@@ -556,13 +586,7 @@ public class AAServlet extends TargetFederationComponent {
                }
        }
 
-       protected boolean isValidCredential(RelyingParty relyingParty, String credentialName) throws AAException {
-
-               Provider provider = lookup(relyingParty.getProviderId());
-               if (provider == null) {
-                       log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
-                       throw new AAException("Request is from an unkown Service Provider.");
-               }
+       protected boolean isValidCredential(Provider provider, String credentialName) {
 
                ProviderRole[] roles = provider.getRoles();
                if (roles.length == 0) {
@@ -611,4 +635,11 @@ public class AAServlet extends TargetFederationComponent {
                return null;
        }
 
+       class InvalidProviderCredentialException extends Exception {
+
+               public InvalidProviderCredentialException(String message) {
+                       super(message);
+               }
+       }
+
 }
index ee62e02..04382dd 100644 (file)
@@ -82,6 +82,13 @@ public abstract class ServiceProviderMapper {
 
        protected RelyingParty getRelyingPartyImpl(String providerIdFromTarget) {
 
+               //Null request, send the default
+               if (providerIdFromTarget == null) {
+                       RelyingParty relyingParty = getDefaultRelyingParty();
+                       log.info("Using default Relying Party: (" + relyingParty.getName() + ").");
+                       return new UnknownProviderWrapper(relyingParty, providerIdFromTarget);
+               }
+
                //Look for a configuration for the specific relying party
                if (relyingParties.containsKey(providerIdFromTarget)) {
                        log.info("Found Relying Party for (" + providerIdFromTarget + ").");
@@ -95,10 +102,11 @@ public abstract class ServiceProviderMapper {
                        return new RelyingPartyGroupWrapper(groupParty, providerIdFromTarget);
                }
 
-               //OK, just send the default
+               //OK, we can't find it... just send the default
+               RelyingParty relyingParty = getDefaultRelyingParty();
                log.info("Could not locate Relying Party configuration for (" + providerIdFromTarget
-                               + ").  Using default Relying Party.");
-               return new UnknownProviderWrapper(getDefaultRelyingPatry(), providerIdFromTarget);
+                               + ").  Using default Relying Party: (" + relyingParty.getName() + ").");
+               return new UnknownProviderWrapper(relyingParty, providerIdFromTarget);
        }
 
        private RelyingParty findRelyingPartyByGroup(String providerIdFromTarget) {
@@ -122,7 +130,7 @@ public abstract class ServiceProviderMapper {
                return null;
        }
 
-       protected RelyingParty getDefaultRelyingPatry() {
+       public RelyingParty getDefaultRelyingParty() {
 
                //If there is no explicit default, pick the single configured Relying
                // Party
index 4904232..ddae04b 100644 (file)
@@ -106,16 +106,27 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
         */
        public HSRelyingParty getRelyingParty(String providerIdFromTarget) {
 
-               //If the target did not send a Provider Id, then assume it is a Shib
-               // 1.1 or older target
                if (providerIdFromTarget == null || providerIdFromTarget.equals("")) {
-                       log.info("Request is from legacy shib target.  Selecting default Relying Party.");
-                       return new LegacyWrapper((HSRelyingParty) getDefaultRelyingPatry());
+                       RelyingParty relyingParty = getDefaultRelyingParty();
+                       log.info("Selecting default Relying Party: (" + relyingParty.getName() + ").");
+                       return new NoMetadataWrapper((HSRelyingParty) relyingParty);
                }
 
                return (HSRelyingParty) getRelyingPartyImpl(providerIdFromTarget);
        }
 
+       /**
+        * Returns the relying party for a legacy provider(the default)
+        */
+       public HSRelyingParty getLegacyRelyingParty() {
+
+               RelyingParty relyingParty = getDefaultRelyingParty();
+               log.info("Request is from legacy shib target.  Selecting default Relying Party: (" + relyingParty.getName()
+                               + ").");
+               return new LegacyWrapper((HSRelyingParty) relyingParty);
+
+       }
+
        protected ShibbolethOriginConfig getOriginConfig() {
                return configuration;
        }
@@ -274,4 +285,28 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
                }
        }
 
+       /**
+        * Relying party wrapper for providers for which we have no metadata
+        * 
+        * @author Walter Hoehn
+        */
+       class NoMetadataWrapper extends UnknownProviderWrapper implements HSRelyingParty {
+
+               NoMetadataWrapper(HSRelyingParty wrapped) {
+                       super(wrapped, null);
+               }
+
+               public String getHSNameFormatId() {
+                       return ((HSRelyingParty) wrapped).getHSNameFormatId();
+               }
+
+               public URL getAAUrl() {
+                       return ((HSRelyingParty) wrapped).getAAUrl();
+               }
+
+               public URI getDefaultAuthMethod() {
+                       return ((HSRelyingParty) wrapped).getDefaultAuthMethod();
+               }
+       }
+
 }
index 8a6cab0..d0ebd8c 100644 (file)
@@ -45,19 +45,16 @@ import org.opensaml.SAMLAuthorityBinding;
 import org.opensaml.SAMLBinding;
 import org.opensaml.SAMLException;
 import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLResponse;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 
 import sun.misc.BASE64Decoder;
-
 import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
 import edu.internet2.middleware.shibboleth.common.Credentials;
 import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
 import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
 import edu.internet2.middleware.shibboleth.common.OriginConfig;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
 import edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException;
 import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
@@ -113,7 +110,7 @@ public class HandleServlet extends TargetFederationComponent {
                                log.error("Name Identifier mapping could not be loaded: " + e);
                        }
                }
-               
+
                //Load metadata
                itemElements = originConfig.getDocumentElement().getElementsByTagNameNS(
                                ShibbolethOriginConfig.originConfigNamespace, "FederationProvider");
@@ -134,7 +131,6 @@ public class HandleServlet extends TargetFederationComponent {
                        throw new ShibbolethConfigurationException("Could not load origin configuration.");
                }
 
-
        }
 
        public void init() throws ServletException {
@@ -170,22 +166,40 @@ public class HandleServlet extends TargetFederationComponent {
                        req.setAttribute("shire", req.getParameter("shire"));
                        req.setAttribute("target", req.getParameter("target"));
 
-                       HSRelyingParty relyingParty = targetMapper.getRelyingParty(req.getParameter("providerId"));
-
                        //Get the authN info
                        String username = configuration.getAuthHeaderName().equalsIgnoreCase("REMOTE_USER")
                                        ? req.getRemoteUser()
                                        : req.getHeader(configuration.getAuthHeaderName());
 
+                       //If the target did not send a Provider Id, then assume it is a Shib
+                       // 1.1 or older target
+                       HSRelyingParty relyingParty = null;
+                       String remoteProviderId = req.getParameter("providerId");
+                       if (remoteProviderId == null) {
+                               relyingParty = targetMapper.getLegacyRelyingParty();
+                       } else {
+                               log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
+                               relyingParty = targetMapper.getRelyingParty(req.getParameter("providerId"));
+                       }
+
                        //Make sure that the selected relying party configuration is appropriate for this
                        //acceptance URL
                        if (!relyingParty.isLegacyProvider()) {
-                               if (isValidAssertionConsumerURL(relyingParty, req.getParameter("shire"))) {
-                                       log.info("Supplied consumer URL validated for this provider.");
+
+                               Provider provider = lookup(relyingParty.getProviderId());
+                               if (provider == null) {
+                                       log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
+                                       relyingParty = targetMapper.getRelyingParty(null);
+
                                } else {
-                                       log.error("Supplied assertion consumer service URL (" + req.getParameter("shire")
-                                                       + ") is NOT valid for provider (" + relyingParty.getProviderId() + ").");
-                                       throw new InvalidClientDataException("Invalid assertion consumer service URL.");
+
+                                       if (isValidAssertionConsumerURL(provider, req.getParameter("shire"))) {
+                                               log.info("Supplied consumer URL validated for this provider.");
+                                       } else {
+                                               log.error("Supplied assertion consumer service URL (" + req.getParameter("shire")
+                                                               + ") is NOT valid for provider (" + relyingParty.getProviderId() + ").");
+                                               throw new InvalidClientDataException("Invalid assertion consumer service URL.");
+                                       }
                                }
                        }
 
@@ -248,14 +262,14 @@ public class HandleServlet extends TargetFederationComponent {
 
                if (relyingParty.isLegacyProvider()) {
                        //For compatibility with pre-1.2 shibboleth targets, include a pointer to the AA
-                       SAMLAuthorityBinding binding = new SAMLAuthorityBinding(SAMLBinding.SAML_SOAP_HTTPS, relyingParty.getAAUrl()
-                                       .toString(), new QName(org.opensaml.XML.SAMLP_NS, "AttributeQuery"));
-                       return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType, new Date(System
-                                       .currentTimeMillis()), Collections.singleton(binding)).toBase64();
-               
+                       SAMLAuthorityBinding binding = new SAMLAuthorityBinding(SAMLBinding.SAML_SOAP_HTTPS, relyingParty
+                                       .getAAUrl().toString(), new QName(org.opensaml.XML.SAMLP_NS, "AttributeQuery"));
+                       return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType,
+                                       new Date(System.currentTimeMillis()), Collections.singleton(binding)).toBase64();
+
                } else {
-                       return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType, new Date(System
-                                       .currentTimeMillis()), null).toBase64();
+                       return postProfile.prepare(shireURL, relyingParty, nameId, clientAddress, authType,
+                                       new Date(System.currentTimeMillis()), null).toBase64();
                }
        }
 
@@ -304,14 +318,7 @@ public class HandleServlet extends TargetFederationComponent {
                }
        }
 
-       protected boolean isValidAssertionConsumerURL(RelyingParty relyingParty, String shireURL)
-                       throws InvalidClientDataException {
-
-               Provider provider = lookup(relyingParty.getProviderId());
-               if (provider == null) {
-                       log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
-                       throw new InvalidClientDataException("Request is from an unkown Service Provider.");
-               }
+       protected boolean isValidAssertionConsumerURL(Provider provider, String shireURL) throws InvalidClientDataException {
 
                ProviderRole[] roles = provider.getRoles();
                if (roles.length == 0) {