samlpostprofile.java

开放源代码的基于SAML的单点登录系统

/*
    The OpenSAML License, Version 1.
    Copyright (c) 2002
    University Corporation for Advanced Internet Development, Inc.
    All rights reserved
    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:
    Redistributions of source code must retain the above copyright notice, this
    list of conditions and the following disclaimer.
    Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions and the following disclaimer in the documentation
    and/or other materials provided with the distribution, if any, must include
    the following acknowledgment: "This product includes software developed by
    the University Corporation for Advanced Internet Development
    <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
    may appear in the software itself, if and wherever such third-party
    acknowledgments normally appear.
    Neither the name of OpenSAML nor the names of its contributors, nor
    Internet2, nor the University Corporation for Advanced Internet Development,
    Inc., nor UCAID may be used to endorse or promote products derived from this
    software without specific prior written permission. For written permission,
    please contact opensaml@opensaml.org
    Products derived from this software may not be called OpenSAML, Internet2,
    UCAID, or the University Corporation for Advanced Internet Development, nor
    may OpenSAML appear in their name, without prior written permission of the
    University Corporation for Advanced Internet Development.
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
    PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
    OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
    IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
    CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
    (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
    ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
package org.opensaml;

import java.io.ByteArrayInputStream;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeMap;
import java.util.Vector;

import org.apache.log4j.Logger;
import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.utils.Base64;


/**
 *  Basic implementation of SAML POST browser profile
 *
 * @author     Scott Cantor
 * @created    April 1, 2002
 */
public class SAMLPOSTProfile
{
	private static Logger log = Logger.getLogger(SAMLPOSTProfile.class.getName());
    private static TreeMap replayExpMap = new TreeMap();
    private static HashSet replayCache = new HashSet();

    /**
     *  Locates an assertion containing a "bearer" AuthenticationStatement in
     *  the response and validates the enclosing assertion with respect to the
     *  POST profile
     *
     * @param  r          The response to the accepting site
     * @param  audiences  The set of audience values to test any conditions
     *      against
     * @return            An SSO assertion
     * 
     * @throws SAMLException    Thrown if a valid SSO assertion cannot be found
     */
    public static SAMLAssertion getSSOAssertion(SAMLResponse r, Collection audiences)
        throws SAMLException
    {
        int acount = 0;
        boolean bExpired = false;
        
        Iterator assertions = r.getAssertions();
        assertion_loop :
        while (assertions.hasNext())
        {
            acount++;
            bExpired = false;
            SAMLAssertion a=(SAMLAssertion)assertions.next();
            
            // A SSO assertion must be bounded front and back.
            Date notBefore = a.getNotBefore();
            Date notOnOrAfter = a.getNotOnOrAfter();
            if (notBefore == null || notOnOrAfter == null)
                continue;

            if (notBefore.getTime() - 300000 > System.currentTimeMillis())
            {
                bExpired = true;
                continue;
            }
            
            if (notOnOrAfter.getTime() + 300000 <= System.currentTimeMillis())
            {
                bExpired = true;
                continue;
            }

            // Check conditions. The only type we know about is an audience restriction.
            Iterator conditions = a.getConditions();
            while (conditions.hasNext())
            {
                SAMLCondition c=(SAMLCondition)conditions.next();
                if (!(c instanceof SAMLAudienceRestrictionCondition) ||
                    !((SAMLAudienceRestrictionCondition)c).eval(audiences))
                    continue assertion_loop;
            }
            
            // Look for an authentication statement.
            Iterator statements = a.getStatements();
            while (statements.hasNext())
            {
                SAMLStatement s=(SAMLStatement)statements.next();
                if (!(s instanceof SAMLAuthenticationStatement))
                    continue;
                    
                SAMLSubject subject=((SAMLAuthenticationStatement)s).getSubject();
                Iterator methods=subject.getConfirmationMethods();
                while (methods.hasNext())
                    if (((String)methods.next()).equals(SAMLSubject.CONF_BEARER))
                        return a;
            }
        }
        if (bExpired == true && acount == 1)
            throw new ExpiredAssertionException(SAMLException.RESPONDER,"SAMLPOSTProfile.getSSOAssertion() unable to find a SSO assertion with valid time condition");
    
        throw new FatalProfileException(SAMLException.RESPONDER,"SAMLPOSTProfile.getSSOAssertion() unable to find a valid SSO assertion");
    }

    /**
     *  Locates a "bearer" AuthenticationStatement in the assertion and
     *  validates the statement with respect to the POST profile
     *
     * @param  a  The SSO assertion sent to the accepting site
     * @return    A "bearer" authentication statement
     * 
     * @throws SAMLException    Thrown if a SSO statement cannot be found
     */
    public static SAMLAuthenticationStatement getSSOStatement(SAMLAssertion a)
        throws SAMLException
    {
        // Look for an authentication statement.
        Iterator statements = a.getStatements();
        while (statements.hasNext())
        {
            SAMLStatement s=(SAMLStatement)statements.next();
            if (!(s instanceof SAMLAuthenticationStatement))
                continue;
                
            SAMLSubject subject=((SAMLAuthenticationStatement)s).getSubject();
            Iterator methods=subject.getConfirmationMethods();
            while (methods.hasNext())
                if (((String)methods.next()).equals(SAMLSubject.CONF_BEARER))
                    return (SAMLAuthenticationStatement)s;
        }
    
        throw new FatalProfileException(SAMLException.RESPONDER,"SAMLPOSTProfile.getSSOStatement() unable to find a valid SSO statement");
    }

    /**
     *  Searches the replay cache for the specified assertion and inserts a
     *  newly seen assertion into the cache<P>
     *
     *  Also performs garbage collection of the cache by deleting expired
     *  entries.
     *
     * @param  a  The assertion to look up and possibly add
     * @return    true iff the assertion has not been seen before
     */
    public static synchronized boolean checkReplayCache(SAMLAssertion a)
    {
        // Garbage collect any expired entries.