Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/wso2/carbon-identity into…
Browse files Browse the repository at this point in the history
… redmine-2925
  • Loading branch information
thanujalk committed Apr 23, 2015
2 parents 8bb3254 + 18c5d3b commit c23cb50
Show file tree
Hide file tree
Showing 336 changed files with 1,929 additions and 1,932 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,12 @@
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>agents</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,12 @@
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>agents</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ public String getDecision(Attribute[] attributes, String appId) throws Exception
EntitlementThriftClient.Client client = getThriftClient(appId);
Authenticator authenticator = getAuthenticator(serverUrl, userName,
password);
return getDecision(xacmlRequest, client, authenticator.getSessionId(false));
return getDecision(xacmlRequest, client, authenticator);
}

@Override
Expand All @@ -78,7 +78,7 @@ public boolean subjectCanActOnResource(String subjectType, String alias, String
String xacmlRequest = XACMLRequetBuilder.buildXACML3Request(tempArr);
EntitlementThriftClient.Client client = getThriftClient(appId);
Authenticator authenticator = getAuthenticator(serverUrl, userName, password);
return (getDecision(xacmlRequest, client, authenticator.getSessionId(false))).contains("Permit");
return (getDecision(xacmlRequest, client, authenticator)).contains("Permit");
}

@Override
Expand All @@ -96,7 +96,7 @@ public boolean subjectCanActOnResource(String subjectType, String alias, String
String xacmlRequest = XACMLRequetBuilder.buildXACML3Request(attrs);
EntitlementThriftClient.Client client = getThriftClient(appId);
Authenticator authenticator = getAuthenticator(serverUrl, userName, password);
return (getDecision(xacmlRequest, client, authenticator.getSessionId(false))).contains("Permit");
return (getDecision(xacmlRequest, client, authenticator)).contains("Permit");
}

@Override
Expand Down Expand Up @@ -124,13 +124,18 @@ public List<String> getActionableChildResourcesForAlias(String alias, String par
return null;
}

private String getDecision(String xacmlRequest, EntitlementThriftClient.Client client, String sessionId) throws EntitlementProxyException {
private String getDecision(String xacmlRequest, EntitlementThriftClient.Client client, Authenticator authenticator)
throws Exception {
try {
return client.getDecision(xacmlRequest, sessionId);
return client.getDecision(xacmlRequest, authenticator.getSessionId(false));
} catch (TException e) {
throw new EntitlementProxyException("Error while getting decision from PDP using ThriftEntitlementServiceClient", e);
} catch (EntitlementException e) {
throw new EntitlementProxyException("Error while getting decision from PDP using ThriftEntitlementServiceClient", e);
try {
return client.getDecision(xacmlRequest, authenticator.getSessionId(true));
} catch (Exception e1) {
throw new EntitlementProxyException("Error while attempting to re-authenticate the Thrift client in ", e1);
}
}
}

Expand Down
5 changes: 2 additions & 3 deletions components/agents/org.wso2.carbon.identity.sso.agent/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,12 @@
~ specific language governing permissions and limitations
~ under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>agents</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ public static class SAML2 {
"SAML2.PostBindingRequestHTMLPayload";
public static final String POST_BINDING_REQUEST_HTML_FILE_PATH =
"SAML2.PostBindingRequestHTMLFilePath";
public static final String SIGNATURE_VALIDATOR = "SAML2.SignatureValidatorImplClass";

}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,17 @@ public void initConfig(Properties properties) throws SSOAgentException {
saml2.isResponseSigned = false;
}

if (saml2.isResponseSigned()) {
String signatureValidatorImplClass = properties.getProperty(
SSOAgentConstants.SSOAgentConfig.SAML2.SIGNATURE_VALIDATOR);
if (signatureValidatorImplClass != null) {
saml2.signatureValidatorImplClass = signatureValidatorImplClass;
} else {
LOGGER.log(Level.FINE, SSOAgentConstants.SSOAgentConfig.SAML2.SIGNATURE_VALIDATOR +
" not configured.");
}
}

String isRequestSignedString = properties.getProperty(
SSOAgentConstants.SSOAgentConfig.SAML2.ENABLE_REQUEST_SIGNING);
if (isRequestSignedString != null) {
Expand Down Expand Up @@ -432,6 +443,7 @@ public class SAML2 {
private Boolean isPassiveAuthn = false;
private Boolean isForceAuthn = false;
private String relayState = null;
private String signatureValidatorImplClass = null;
/**
* The html page that will auto-submit the SAML2 to the IdP.
* This should be in valid HTML syntax, with following section within the
Expand Down Expand Up @@ -579,6 +591,10 @@ public void setPassiveAuthn(Boolean isPassiveAuthn) {
public void setForceAuthn(Boolean isForceAuthn) {
this.isForceAuthn = isForceAuthn;
}

public String getSignatureValidatorImplClass() {
return signatureValidatorImplClass;
}
}

public class OpenID {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@
import org.wso2.carbon.identity.sso.agent.bean.LoggedInSessionBean;
import org.wso2.carbon.identity.sso.agent.bean.SSOAgentConfig;
import org.wso2.carbon.identity.sso.agent.util.CarbonEntityResolver;
import org.wso2.carbon.identity.sso.agent.util.SAMLSignatureValidator;
import org.wso2.carbon.identity.sso.agent.util.SSOAgentUtils;
import org.xml.sax.SAXException;

Expand Down Expand Up @@ -88,11 +89,25 @@ public class SAML2SSOManager {
private static Logger LOGGER = Logger.getLogger(SSOAgentConstants.LOGGER_NAME);
private static volatile boolean bootStrapped = false;
private SSOAgentConfig ssoAgentConfig = null;
private static Object signatureValidator = null;

public SAML2SSOManager(SSOAgentConfig ssoAgentConfig) throws SSOAgentException {

/* Initializing the OpenSAML library, loading default configurations */
this.ssoAgentConfig = ssoAgentConfig;
//load custom Signature Validator Class
String signerClassName = ssoAgentConfig.getSAML2().getSignatureValidatorImplClass();
try {
if (signerClassName != null) {
signatureValidator = Class.forName(signerClassName).newInstance();
}
} catch (ClassNotFoundException e) {
throw new SSOAgentException("Error loading custom signature validator class", e);
} catch (IllegalAccessException e) {
throw new SSOAgentException("Error loading custom signature validator class", e);
} catch (InstantiationException e) {
throw new SSOAgentException("Error loading custom signature validator class", e);
}
try {
if (!bootStrapped) {
synchronized (this) {
Expand Down Expand Up @@ -660,31 +675,36 @@ protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentE
*/
protected void validateSignature(Response response, Assertion assertion) throws SSOAgentException {

if (ssoAgentConfig.getSAML2().isResponseSigned()) {
if (response.getSignature() == null) {
throw new SSOAgentException("SAML2 Response signing is enabled, " +
"but signature element not found in SAML2 Response element");
} else {
try {
SignatureValidator validator = new SignatureValidator(
new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
validator.validate(response.getSignature());
} catch (ValidationException e) {
throw new SSOAgentException("Signature validation failed for SAML2 Response");
if (signatureValidator != null) {
//Custom implemetation of signature validation
SAMLSignatureValidator signatureValidatorUtility = (SAMLSignatureValidator) signatureValidator;
signatureValidatorUtility.validateSignature(response, assertion, ssoAgentConfig);
} else {
//If custom implementation not found, Execute the default implementation
if (ssoAgentConfig.getSAML2().isResponseSigned()) {
if (response.getSignature() == null) {
throw new SSOAgentException("SAML2 Response signing is enabled, but signature element not found in SAML2 Response element");
} else {
try {
SignatureValidator validator = new SignatureValidator(
new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
validator.validate(response.getSignature());
} catch (ValidationException e) {
throw new SSOAgentException("Signature validation failed for SAML2 Response");
}
}
}
}
if (ssoAgentConfig.getSAML2().isAssertionSigned()) {
if (assertion.getSignature() == null) {
throw new SSOAgentException("SAML2 Assertion signing is enabled, but signature element " +
"not found in SAML2 Assertion element");
} else {
try {
SignatureValidator validator = new SignatureValidator(
new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
validator.validate(assertion.getSignature());
} catch (ValidationException e) {
throw new SSOAgentException("Signature validation failed for SAML2 Assertion");
if (ssoAgentConfig.getSAML2().isAssertionSigned()) {
if (assertion.getSignature() == null) {
throw new SSOAgentException("SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element");
} else {
try {
SignatureValidator validator = new SignatureValidator(
new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
validator.validate(assertion.getSignature());
} catch (ValidationException e) {
throw new SSOAgentException("Signature validation failed for SAML2 Assertion");
}
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
/*
* Copyright (c) WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.identity.sso.agent.util;

import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Response;
import org.wso2.carbon.identity.sso.agent.SSOAgentException;
import org.wso2.carbon.identity.sso.agent.bean.SSOAgentConfig;

public interface SAMLSignatureValidator {
void validateSignature(Response response, Assertion assertion, SSOAgentConfig ssoAgentConfig) throws SSOAgentException;
}
5 changes: 2 additions & 3 deletions components/agents/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,12 @@
~ specific language governing permissions and limitations
~ under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>carbon-identity</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,12 @@ License for the specific language governing permissions and ~
limitations under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>application-authenticators</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,12 @@ License for the specific language governing permissions and ~
limitations under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>application-authenticators</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,12 @@
~ under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>application-authenticators</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,12 @@ License for the specific language governing permissions and ~
limitations under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>application-authenticators</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,12 @@ License for the specific language governing permissions and ~
limitations under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<parent>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>application-authenticators</artifactId>
<version>4.3.4-SNAPSHOT</version>
<version>4.4.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ public class OIDCAuthenticatorConstants {
public static final String OAUTH_OIDC_SCOPE = "openid";
public static final String OAUTH2_GRANT_TYPE_CODE = "code";
public static final String OAUTH2_PARAM_STATE = "state";
public static final String OAUTH2_ERROR = "error";

public static final String ACCESS_TOKEN = "access_token";
public static final String ID_TOKEN = "id_token";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ public boolean canHandle(HttpServletRequest request) {
&& request.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE) != null
&& OIDCAuthenticatorConstants.LOGIN_TYPE.equals(getLoginType(request))) {
return true;
} else if (request.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE) != null &&
request.getParameter(OIDCAuthenticatorConstants.OAUTH2_ERROR) != null) {
//if sends error like access_denied
return true;
}
// TODO : What if IdP failed?

Expand Down
Loading

0 comments on commit c23cb50

Please sign in to comment.