/*
* JBoss, Home of Professional Open Source.
* Copyright 2008, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.identity.federation.bindings.tomcat.idp;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.valves.ValveBase;
import org.apache.log4j.Logger;
import org.jboss.identity.federation.bindings.config.IDPType;
import org.jboss.identity.federation.bindings.config.KeyProviderType;
import org.jboss.identity.federation.bindings.interfaces.RoleGenerator;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator;
import org.jboss.identity.federation.bindings.util.PostBindingUtil;
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssueInstantMissingException;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
/**
* Generic Web Browser SSO valve for the IDP
* @author Anil.Saldhana@redhat.com
* @since May 18, 2009
*/
public class IDPWebBrowserSSOValve extends ValveBase implements Lifecycle
{
private static Logger log = Logger.getLogger(IDPWebBrowserSSOValve.class);
protected IDPType idpConfiguration = null;
private RoleGenerator rg = new TomcatRoleGenerator();
private long assertionValidity = 5000; // 5 seconds in miliseconds
private String identityURL = null;
private TrustKeyManager keyManager;
private Boolean supportSignature = false;
public Boolean getSupportSignature()
{
return supportSignature;
}
public void setSupportSignature(Boolean supportSignature)
{
this.supportSignature = supportSignature;
}
@Override
public void invoke(Request request, Response response) throws IOException, ServletException
{
String referer = request.getHeader("Referer");
String relayState = request.getParameter("RelayState");
String samlMessage = request.getParameter("SAMLRequest");
String signature = request.getParameter("Signature");
String sigAlg = request.getParameter("SigAlg");
boolean containsSAMLRequestMessage = samlMessage != null;
Session session = request.getSessionInternal();
if(containsSAMLRequestMessage)
{
log.trace("Storing the SAMLRequest and RelayState in session");
session.setNote("SAMLRequest", samlMessage);
if(relayState != null && relayState.length() > 0)
session.setNote("RelayState", relayState.trim());
if(signature != null && signature.length() > 0)
session.setNote("Signature", signature.trim());
if(sigAlg != null && sigAlg.length() > 0)
session.setNote("sigAlg", sigAlg.trim());
}
//Lets check if the user has been authenticated
Principal userPrincipal = request.getPrincipal();
if(userPrincipal == null)
{
try
{
//Next in the invocation chain
getNext().invoke(request, response);
}
finally
{
userPrincipal = request.getPrincipal();
referer = request.getHeader("Referer");
log.debug("Referer in finally block="+ referer + ":user principal=" + userPrincipal);
}
}
IDPWebRequestUtil webRequestUtil = new IDPWebRequestUtil(request, idpConfiguration);
//Look for unauthorized status
if(response.getStatus() == HttpServletResponse.SC_FORBIDDEN)
{
try
{
ResponseType errorResponseType =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
this.identityURL);
if(this.supportSignature)
webRequestUtil.send(errorResponseType, relayState, response, true,
this.keyManager.getSigningKey());
else
webRequestUtil.send(errorResponseType, relayState, response, false,null);
}
catch (GeneralSecurityException e)
{
throw new ServletException(e);
}
return;
}
if(userPrincipal != null)
{
/**
* Since the container has finished the authentication,
* we can retrieve the original saml message as well as
* any relay state from the SP
*/
samlMessage = (String) session.getNote("SAMLRequest");
relayState = (String) session.getNote("RelayState");
signature = (String) session.getNote("Signature");
sigAlg = (String) session.getNote("sigAlg");
log.trace("Retrieved saml message and relay state from session");
log.trace("saml message=" + samlMessage + "::relay state="+ relayState);
log.trace("Signature=" + signature + "::sigAlg="+ sigAlg);
session.removeNote("SAMLRequest");
if(relayState != null && relayState.length() > 0)
session.removeNote("RelayState");
if(signature != null && signature.length() > 0)
session.removeNote("Signature");
if(sigAlg != null && sigAlg.length() > 0)
session.removeNote("sigAlg");
//Send valid saml response after processing the request
if(samlMessage != null)
{
//Get the SAML Request Message
RequestAbstractType requestAbstractType = null;
ResponseType responseType = null;
try
{
requestAbstractType = webRequestUtil.getSAMLRequest(samlMessage);
boolean isValid = validate(request.getRemoteAddr(),
new SessionHolder(samlMessage, signature, sigAlg));
if(!isValid)
throw new GeneralSecurityException("Validation check failed");
webRequestUtil.isTrusted(requestAbstractType.getIssuer().getValue());
List<String> roles = rg.generateRoles(userPrincipal);
log.trace("Roles have been determined:Creating response");
AuthnRequestType art = (AuthnRequestType) requestAbstractType;
responseType =
webRequestUtil.getResponse(art.getAssertionConsumerServiceURL(),
userPrincipal, roles,
this.identityURL, this.assertionValidity);
}
catch (IssuerNotTrustedException e)
{
log.trace(e);
responseType =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get(),
this.identityURL);
}
catch (ParsingException e)
{
log.trace(e);
responseType =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
this.identityURL);
}
catch (ConfigurationException e)
{
log.trace(e);
responseType =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
this.identityURL);
}
catch (IssueInstantMissingException e)
{
log.trace(e);
responseType =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
this.identityURL);
}
catch(GeneralSecurityException e)
{
log.trace(e);
responseType =
webRequestUtil.getErrorResponse(referer,
JBossSAMLURIConstants.STATUS_AUTHNFAILED.get(),
this.identityURL);
}
finally
{
try
{
if(this.supportSignature)
webRequestUtil.send(responseType, relayState, response, true,
this.keyManager.getSigningKey());
else
webRequestUtil.send(responseType, relayState, response, false,null);
}
catch (ParsingException e)
{
log.trace(e);
}
catch (GeneralSecurityException e)
{
log.trace(e);
}
}
return;
}
else
{
log.error("No SAML Request Message");
log.trace("Referer="+referer);
try
{
sendErrorResponseToSP(referer, response, relayState, webRequestUtil);
}
catch (ConfigurationException e)
{
log.trace(e);
}
}
}
}
protected void sendErrorResponseToSP(String referrer, Response response, String relayState,
IDPWebRequestUtil webRequestUtil) throws ServletException, IOException, ConfigurationException
{
log.trace("About to send error response to SP:" + referrer);
ResponseType errorResponseType =
webRequestUtil.getErrorResponse(referrer, JBossSAMLURIConstants.STATUS_RESPONDER.get(),
this.identityURL);
try
{
if(this.supportSignature)
webRequestUtil.send(errorResponseType, relayState, response, true,
this.keyManager.getSigningKey());
else
webRequestUtil.send(errorResponseType, relayState, response, false,null);
}
catch (ParsingException e1)
{
throw new ServletException(e1);
}
catch (GeneralSecurityException e)
{
throw new ServletException(e);
}
}
protected boolean validate(String remoteAddress,
SessionHolder holder) throws IOException, GeneralSecurityException
{
if(!supportSignature)
{
return holder.samlRequest != null && holder.samlRequest.length() > 0;
}
String sig = holder.signature;
if(sig == null || sig.length() == 0)
{
log.error("Signature received from SP is null:" + remoteAddress);
return false;
}
return PostBindingUtil.validateSignature(holder.samlRequest.getBytes("UTF-8"),
sig, keyManager.getValidatingKey(remoteAddress));
}
//***************Lifecycle
/**
* The lifecycle event support for this component.
*/
protected LifecycleSupport lifecycle = new LifecycleSupport(this);
/**
* Has this component been started yet?
*/
private boolean started = false;
/**
* Add a lifecycle event listener to this component.
*
* @param listener The listener to add
*/
public void addLifecycleListener(LifecycleListener listener)
{
lifecycle.addLifecycleListener(listener);
}
/**
* Get the lifecycle listeners associated with this lifecycle. If this
* Lifecycle has no listeners registered, a zero-length array is returned.
*/
public LifecycleListener[] findLifecycleListeners()
{
return lifecycle.findLifecycleListeners();
}
/**
* Remove a lifecycle event listener from this component.
*
* @param listener The listener to add
*/
public void removeLifecycleListener(LifecycleListener listener)
{
lifecycle.removeLifecycleListener(listener);
}
/**
* Prepare for the beginning of active use of the public methods of this
* component. This method should be called after <code>configure()</code>,
* and before any of the public methods of the component are utilized.
*
* @exception LifecycleException if this component detects a fatal error
* that prevents this component from being used
*/
public void start() throws LifecycleException
{
// Validate and update our current component state
if (started)
throw new LifecycleException
("IDPRedirectValve already Started");
lifecycle.fireLifecycleEvent(START_EVENT, null);
started = true;
String configFile = "/WEB-INF/jboss-idfed.xml";
Context context = (Context) getContainer();
InputStream is = context.getServletContext().getResourceAsStream(configFile);
if(is == null)
throw new RuntimeException(configFile + " missing");
try
{
idpConfiguration = ValveUtil.getIDPConfiguration(is);
this.identityURL = idpConfiguration.getIdentityURL();
log.trace("Identity Provider URL=" + this.identityURL);
this.assertionValidity = idpConfiguration.getAssertionValidity();
}
catch (Exception e)
{
throw new RuntimeException(e);
}
if(this.supportSignature)
{
KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
String keyManagerClassName = keyProvider.getClassName();
if(keyManagerClassName == null)
throw new RuntimeException("KeyManager class name is null");
Class<?> clazz = tcl.loadClass(keyManagerClassName);
this.keyManager = (TrustKeyManager) clazz.newInstance();
keyManager.setAuthProperties(keyProvider.getAuth());
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
{
log.error("Exception reading configuration:",e);
throw new LifecycleException(e.getLocalizedMessage());
}
log.trace("Key Provider=" + keyProvider.getClassName());
}
}
/**
* Gracefully terminate the active use of the public methods of this
* component. This method should be the last one called on a given
* instance of this component.
*
* @exception LifecycleException if this component detects a fatal error
* that needs to be reported
*/
public void stop() throws LifecycleException
{
// Validate and update our current component state
if (!started)
throw new LifecycleException
("IDPRedirectValve NotStarted");
lifecycle.fireLifecycleEvent(STOP_EVENT, null);
started = false;
}
//Private Methods
protected class SessionHolder
{
String samlRequest;
String signature;
String sigAlg;
public SessionHolder(String req, String sig, String alg)
{
this.samlRequest = req;
this.signature = sig;
this.sigAlg = alg;
}
}
}