samlpostprofile.java

开放源代码的基于SAML的单点登录系统

        Set trash = replayExpMap.headMap(new Date()).keySet();
        for (Iterator i = trash.iterator(); i.hasNext(); replayCache.remove(replayExpMap.get(i.next())))
            ;
        trash.clear();

        // If it's already been seen, bail.
        if (!replayCache.add(a.getId()))
            return false;

        // Not a multi-map, so if there's duplicate timestamp, increment by a millisecond.
        Date expires = new Date(a.getNotOnOrAfter().getTime() + 300000);
        while (replayExpMap.containsKey(expires))
            expires.setTime(expires.getTime() + 1);

        // Add the pair to the expiration map.
        replayExpMap.put(expires, a.getId());
        return true;
    }

    /**
     *  Parse a Base-64 encoded buffer back into a SAML response and optionally test its
     *  validity against the POST profile<P>
     *
     *  The signature over the response is not verified or examined, nor is the
     *  identity of the signer. The replay cache is also not checked.
     *
     * @param  buf                A Base-64 encoded buffer containing a SAML
     *      response
     * @param  receiver           The URL of the intended consumer of the
     *      response
     * @param  ttlSeconds         Seconds allowed to lapse from the issuance of
     *      the response
     * @param  process            Process the response or just decode and parse it?
     * @return                    SAML response sent by origin site
     * @exception  SAMLException  Thrown if the response is invalid
     */
    public static SAMLResponse accept(byte[] buf, String receiver, int ttlSeconds, boolean process)
        throws SAMLException
    {
    	
        try
        {
            SAMLResponse r = new SAMLResponse(new ByteArrayInputStream(Base64.decode(buf)));
            if (process)
                process(r, receiver, ttlSeconds);
            return r;
        }
        catch (Base64DecodingException e)
        {
            throw new InvalidAssertionException(SAMLException.REQUESTER, "SAMLPOSTProfile.accept() unable to decode base64 response");
        }
    }
//根据条件进行声明有效性判断
    /**
     *  Test the validity of a response against the POST profile<P>
     *
     *  The signature over the response is not verified or examined, nor is the
     *  identity of the signer. The replay cache is also not checked.
     *
     * @param  r                  The response to process 
     * @param  receiver           The URL of the intended consumer of the
     *      response
     * @param  ttlSeconds         Seconds allowed to lapse from the issuance of
     *      the response
     * @return                    SAML response sent by origin site
     * @exception  SAMLException  Thrown if the response is invalid
     */
    public static void process(SAMLResponse r, String receiver, int ttlSeconds)
        throws SAMLException
    {
        if (receiver == null || receiver.length() == 0 || !receiver.equals(r.getRecipient()))
            throw new InvalidAssertionException(SAMLException.REQUESTER, "SAMLPOSTProfile.accept() detected recipient mismatch: " + r.getRecipient());
        if (r.getIssueInstant().getTime() + (1000 * ttlSeconds) + 300000 < System.currentTimeMillis())
            throw new ExpiredAssertionException(SAMLException.RESPONDER, "SAMLPOSTProfile.accept() detected expired response");
    }
    
	/**
	 *  Used by authenticating site to generate a SAML response conforming to
	 *  the POST profile<P>
	 *
	 *  The response MUST be signed by the caller before sending to relying
	 *  site.<P>
	 *
	 *  Implementations that need to embed additional statements or more complex
	 *  conditions can override or ignore this class.
	 *
	 * @param  recipient          URL of intended consumer
	 * @param  issuer             Issuer of assertion
	 * @param  audiences          URIs identifying intended relying
	 *      parties/communities (optional)
	 * @param  name               Name of subject
	 * @param  nameQualifier      Federates or qualifies subject name (optional)
	 * @param  format             URI describing name semantics and format
	 *      (optional)
	 * @param  subjectIP          Client address of subject (optional)
	 * @param  authMethod         URI of authentication method being asserted
	 * @param  authInstant        Date and time of authentication being asserted
	 * @param  bindings           Set of SAML authorities the relying party
	 *      may contact (optional)
	 * @return                    SAML response to send to accepting site
	 * @exception  SAMLException  Base class of exceptions that may be thrown
	 *      during processing
	 * @deprecated 				Callers should prefer the overloaded method
	 * 		that accepts <code>SAMLNameIdentifier</code> objects
	 */
	 public static SAMLResponse prepare(
		String recipient,
		String issuer,
		Collection audiences,
		String name,
		String nameQualifier,
		String format,
		String subjectIP,
		String authMethod,
		Date authInstant,
		Collection bindings)
		throws SAMLException {

		return prepare(
			recipient,
			issuer,
			audiences,
			new SAMLNameIdentifier(name, nameQualifier, format),
			subjectIP,
			authMethod,
			authInstant,
			bindings);

	}
	/**
	 *  Used by authenticating site to generate a SAML response conforming to
	 *  the POST profile<P>
	 *
	 *  The response MUST be signed by the caller before sending to relying
	 *  site.<P>
	 *
	 *  Implementations that need to embed additional statements or more complex
	 *  conditions can override or ignore this class.
	 *
	 * @param  recipient          URL of intended consumer
	 * @param  issuer             Issuer of assertion
	 * @param  audiences          URIs identifying intended relying
	 *      parties/communities (optional)
	 * @param  nameId			  Name Identifier representing the subject
	 * @param  subjectIP          Client address of subject (optional)
	 * @param  authMethod         URI of authentication method being asserted
	 * @param  authInstant        Date and time of authentication being asserted
	 * @param  bindings           Set of SAML authorities the relying party
	 *      may contact (optional)
	 * @return                    SAML response to send to accepting site
	 * @exception  SAMLException  Base class of exceptions that may be thrown
	 *      during processing
	 */
	public static SAMLResponse prepare(String recipient,
										String issuer,
										Collection audiences,
										SAMLNameIdentifier nameId,
										String subjectIP,
										String authMethod,
										Date authInstant,
										Collection bindings)
		throws SAMLException
	{
		log.info("Creating SAML Response.");
    	
		if (recipient == null || recipient.length() == 0)
			throw new SAMLException(SAMLException.RESPONDER, "SAMLPOSTProfile.prepare() requires recipient");

		Vector conditions = new Vector(1);
		if (audiences != null && audiences.size() > 0)
			conditions.add(new SAMLAudienceRestrictionCondition(audiences));

		String[] confirmationMethods = {SAMLSubject.CONF_BEARER};
		SAMLSubject subject = new SAMLSubject(nameId, Arrays.asList(confirmationMethods), null, null);
		SAMLStatement[] statements =
			{new SAMLAuthenticationStatement(subject, authMethod, authInstant, subjectIP, null, bindings)};
		SAMLAssertion[] assertions = {
			new SAMLAssertion(issuer, new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + 300000),
								conditions, null, Arrays.asList(statements))
			};

		return new SAMLResponse(null, recipient, Arrays.asList(assertions), null);
	}
}