Package org.opensaml.saml2.binding

Source Code of org.opensaml.saml2.binding.AuthnResponseEndpointSelector

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
/*
* Licensed to the University Corporation for Advanced Internet Development,
* Inc. (UCAID) under one or more contributor license agreements.  See the
* NOTICE file distributed with this work for additional information regarding
* copyright ownership. The UCAID licenses this file to You under the Apache
* License, Version 2.0 (the "License"); you may not use this file except in
* compliance with the License.  You may obtain a copy of the License at
*
*    http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.opensaml.saml2.binding;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import org.opensaml.common.binding.BasicEndpointSelector;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.IndexedEndpoint;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
* An endpoint selector that implements the additional selection constraints described within the SAML 2.0 AuthnRequest
* specification. If an endpoint can not be resolved using either the information within the assertion consumer service
* index or the assertion consumer service URL given in the authentication request, or if this information isn't
* present, than the rules for the {@link BasicEndpointSelector} are used.
*/
public class AuthnResponseEndpointSelector extends BasicEndpointSelector {

    /** Class logger. */
    private final Logger log = LoggerFactory.getLogger(AuthnResponseEndpointSelector.class);

    /** {@inheritDoc} */
    @SuppressWarnings("unchecked")
    public Endpoint selectEndpoint() {
        if (getEntityRoleMetadata() == null) {
            log.debug("Unable to select endpoint, no entity role metadata available.");
            return null;
        }

        List<? extends Endpoint> endpoints = getEntityRoleMetadata().getEndpoints(getEndpointType());
        if (endpoints == null || endpoints.size() == 0) {
            return null;
        }

        Endpoint endpoint = null;
        AuthnRequest request = (AuthnRequest) getSamlRequest();
        if (request != null) {
            endpoints = filterEndpointsByProtocolBinding(endpoints);
            if (endpoints == null || endpoints.isEmpty()) {
                return null;
            }

            if (request.getAssertionConsumerServiceIndex() != null) {
                log.debug("Selecting endpoint by ACS index '{}' for request '{}' from entity '{}'", new Object[] {
                        request.getAssertionConsumerServiceIndex(), request.getID(), getEntityMetadata().getEntityID()});
                endpoint = selectEndpointByACSIndex(request, (List<IndexedEndpoint>) endpoints);
            } else if (request.getAssertionConsumerServiceURL() != null) {
                log.debug(
                        "Selecting endpoint by ACS URL '{}' and protocol binding '{}' for request '{}' from entity '{}'",
                        new Object[] {request.getAssertionConsumerServiceURL(), request.getProtocolBinding(),
                                request.getID(), getEntityMetadata().getEntityID()});
                endpoint = selectEndpointByACSURL(request, (List<IndexedEndpoint>) endpoints);
            }
        }

        if (endpoint == null && request.getAssertionConsumerServiceIndex() == null
                && request.getAssertionConsumerServiceURL() == null) {
            log.debug("No ACS index or URL given, selecting endpoint without additional constraints.");
            if (endpoints.get(0) instanceof IndexedEndpoint) {
                endpoint = selectIndexedEndpoint((List<IndexedEndpoint>) endpoints);
            } else {
                endpoint = selectNonIndexedEndpoint((List<Endpoint>) endpoints);
            }
        }

        return endpoint;
    }

    /**
     * Filters the list of possible endpoints by supported outbound bindings and, if the authentication request contains
     * a requested binding and not an ACS index, that too is used to filter the list.
     *
     * @param endpoints raw list of endpoints
     *
     * @return filtered endpoints
     */
    protected List<? extends Endpoint> filterEndpointsByProtocolBinding(List<? extends Endpoint> endpoints) {
        log.debug("Filtering peer endpoints.  Supported peer endpoint bindings: {}", getSupportedIssuerBindings());
        AuthnRequest request = (AuthnRequest) getSamlRequest();

        boolean filterByRequestBinding = false;
        String acsBinding = DatatypeHelper.safeTrimOrNullString(request.getProtocolBinding());
        if (acsBinding != null && request.getAssertionConsumerServiceIndex() != null) {
            filterByRequestBinding = true;
        }

        List<Endpoint> filteredEndpoints = new ArrayList<Endpoint>(endpoints);
        Iterator<Endpoint> endpointItr = filteredEndpoints.iterator();
        Endpoint endpoint;
        while (endpointItr.hasNext()) {
            endpoint = endpointItr.next();
            if (!getSupportedIssuerBindings().contains(endpoint.getBinding())) {
                log.debug("Removing endpoint {} because its binding {} is not supported", endpoint.getLocation(),
                        endpoint.getBinding());
                endpointItr.remove();
                continue;
            }

            if (filterByRequestBinding && !endpoint.getBinding().equals(acsBinding)) {
                log.debug("Removing endpoint {} because its binding {} does not match request's requested binding",
                        endpoint.getLocation(), endpoint.getBinding());
                endpointItr.remove();
            }
        }

        return filteredEndpoints;
    }

    /**
     * Selects the endpoint by way of the assertion consumer service index given in the AuthnRequest.
     *
     * @param request the AuthnRequest
     * @param endpoints list of endpoints to select from
     *
     * @return the selected endpoint
     */
    protected Endpoint selectEndpointByACSIndex(AuthnRequest request, List<IndexedEndpoint> endpoints) {
        Integer acsIndex = request.getAssertionConsumerServiceIndex();
        for (IndexedEndpoint endpoint : endpoints) {
            if (endpoint == null || !getSupportedIssuerBindings().contains(endpoint.getBinding())) {
                log.debug(
                        "Endpoint '{}' with binding '{}' discarded because it requires an unsupported outbound binding.",
                        endpoint.getLocation(), endpoint.getBinding());
                continue;
            }

            if (DatatypeHelper.safeEquals(acsIndex, endpoint.getIndex())) {
                return endpoint;
            } else {
                log.debug("Endpoint '{}' with index '{}' discard because it does have the required index '{}'",
                        new Object[] {endpoint.getLocation(), endpoint.getIndex(), acsIndex});
            }
        }

        log.warn("Relying party '{}' requested the response to be returned to endpoint with ACS index '{}' "
                + "however no endpoint, with that index and using a supported binding, can be found "
                + " in the relying party's metadata ", getEntityMetadata().getEntityID(), acsIndex);
        return null;
    }

    /**
     * Selects the endpoint by way of the assertion consumer service URL given in the AuthnRequest.
     *
     * @param request the AuthnRequest
     * @param endpoints list of endpoints to select from
     *
     * @return the selected endpoint
     */
    protected Endpoint selectEndpointByACSURL(AuthnRequest request, List<IndexedEndpoint> endpoints) {
        String acsBinding = DatatypeHelper.safeTrimOrNullString(request.getProtocolBinding());

        for (IndexedEndpoint endpoint : endpoints) {
            if (!getSupportedIssuerBindings().contains(endpoint.getBinding())) {
                log.debug(
                        "Endpoint '{}' with binding '{}' discarded because that is not a supported outbound binding.",
                        endpoint.getLocation(), endpoint.getBinding());
                continue;
            }

            if (acsBinding != null) {
                if (!DatatypeHelper.safeEquals(acsBinding, endpoint.getBinding())) {
                    log.debug(
                            "Endpoint '{}' with binding '{}' discarded because it does not meet protocol binding selection criteria",
                            endpoint.getLocation(), endpoint.getBinding());
                    continue;
                }
            }

            String responseLocation = DatatypeHelper.safeTrim(endpoint.getResponseLocation());
            if (responseLocation != null){
                    if(DatatypeHelper.safeEquals(responseLocation, request.getAssertionConsumerServiceURL())) {
                        return endpoint;
                    }
            }else{   
                String location = DatatypeHelper.safeTrim(endpoint.getLocation());
                if (location != null && DatatypeHelper.safeEquals(location, request.getAssertionConsumerServiceURL())) {
                    return endpoint;
                }
            }

            log.debug("Endpoint with Location '{}' discarded because neither its Location nor ResponseLocation match ACS URL '{}'",
                    endpoint.getLocation(), request.getAssertionConsumerServiceURL());
        }

        log.warn("Relying party '{}' requested the response to be returned to endpoint with ACS URL '{}' "
                + " and binding '{}' however no endpoint, with that URL and using a supported binding, "
                + " can be found in the relying party's metadata ", new Object[] {getEntityMetadata().getEntityID(),
                request.getAssertionConsumerServiceURL(), (acsBinding == null) ? "any" : acsBinding});
        return null;
    }
}
TOP

Related Classes of org.opensaml.saml2.binding.AuthnResponseEndpointSelector

  • org.apache.cxf.rs.security.oauth2.saml.SamlOAuthValidator
  • org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter
  • org.apache.cxf.rs.security.saml.sso.AuthnRequestBuilderTest
  • org.apache.cxf.rs.security.saml.sso.SAMLResponseValidatorTest
  • org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidatorTest
  • org.apache.cxf.rt.security.xacml.SamlRequestComponentBuilder
  • org.apache.cxf.systest.sts.intermediary_transformation.OnBehalfOfValidator
  • org.apache.velocity.VelocityContext
  • org.joda.time.DateTime
  • org.opensaml.common.binding.BasicEndpointSelector
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.