samlidentityasserterproviderimpl.java

1. 如何生成自签名的KeyStore以及导出供SP使用的公钥 C:>keytool -v -genkey -alias idp -keystore idp.jks -keyalg RSA -

package samlsso.providers.identityassertion;

import java.io.FileInputStream;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Collections;
import java.util.Iterator;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;

import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLPOSTProfile;
import org.opensaml.SAMLResponse;

import weblogic.management.security.ProviderMBean;
import weblogic.security.spi.AuthenticationProvider;
import weblogic.security.spi.IdentityAsserter;
import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;


/**
 *
 * @author maxq
 * @version 0.9
 */
public final class SAMLIdentityAsserterProviderImpl implements AuthenticationProvider, IdentityAsserter {

  /**
   * 
   */
  final static private String TOKEN_TYPE= "SAML.Assertion"; // the kind of token's we handle

  /**
   * 
   */
  private String description= "A SAML Token Assertion Provider"; // a description of this provider
  
  /**
   * 
   */
  private String cert_path;
  
  /**
   * 
   */
  private String alias;
  
  /**
   * 
   */
  private char[] password;
  
  /**
   * public key
   */
  private Certificate cert;
  
  /*
   *  (non-Javadoc)
   * @see weblogic.security.spi.SecurityProvider#initialize(weblogic.management.security.ProviderMBean, weblogic.security.spi.SecurityServices)
   */
  public void initialize( ProviderMBean mbean, SecurityServices services) {
    SAMLIdentityAsserterMBean mymbean= (SAMLIdentityAsserterMBean)mbean; 
    description= mbean.getDescription() + "\n" + mbean.getVersion();
    password= mymbean.getPassword().toCharArray();
    alias= mymbean.getAlias();
    cert_path= mymbean.getCertPath();    
    try {
      FileInputStream fis= new FileInputStream( this.cert_path);
      try {
        CertificateFactory factory= CertificateFactory.getInstance("X.509");
        cert= factory.generateCertificate( fis);      
      }finally {
        try {
          if ( fis!= null) fis.close();
        }catch ( Exception ex) {}
      }
    }catch ( Exception ex) {
      ex.printStackTrace();
    }
  }

  /*
   *  (non-Javadoc)
   * @see weblogic.security.spi.SecurityProvider#getDescription()
   */
  public String getDescription() {
    return description;
  }

  /*
   *  (non-Javadoc)
   * @see weblogic.security.spi.SecurityProvider#shutdown()
   */
  public void shutdown() {
  }

  /*
   *  (non-Javadoc)
   * @see weblogic.security.spi.AuthenticationProvider#getIdentityAsserter()
   */
  public IdentityAsserter getIdentityAsserter() {
    return this;
  }

  /*
   *  (non-Javadoc)
   * @see weblogic.security.spi.IdentityAsserter#assertIdentity(java.lang.String, java.lang.Object)
   */
  public CallbackHandler assertIdentity( String type, Object token) throws IdentityAssertionException {
    // check the token type
    if( !( TOKEN_TYPE.equals( type))) {
      String error= "SAMLIdentityAsserter received unknown token type \""
          + type + "\"." + " Expected " + TOKEN_TYPE;
      throw new IdentityAssertionException( error);
    }
    try {
      SAMLResponse response= SAMLPOSTProfile.accept( 
          (byte[])token, "www.opensaml.org", 60, true);
      // check if it is signed.
      if ( false == response.isSigned()) {
        throw new IdentityAssertionException( "The SAML Assertion is not signed!");
      }
      // get the assertion
      SAMLAssertion samlAssertion= SAMLPOSTProfile.getSSOAssertion( 
          response, Collections.singleton("http://www.opensaml.org"));
      // verify
      samlAssertion.verify( cert);
      response.verify( cert);
      // get the authenticated user
      Iterator it= samlAssertion.getStatements();
      SAMLAuthenticationStatement statement= (org.opensaml.SAMLAuthenticationStatement)it.next();
      String userName= statement.getSubject().getName().getName();
      // return callback handler
      return new SAMLCallbackHandlerImpl( userName);

    }catch ( Exception ex) {
      ex.printStackTrace();
      throw new IdentityAssertionException( ex.toString());
    }
  }

  /**
   * Return how to call the login module to perform authentication.
   *
   * @return A null AppConfigurationEntry since the simple sample identity
   * asserter is not an authenticator (thus doesn't have a login module).
   */
  public AppConfigurationEntry getLoginModuleConfiguration() {
    return null;
  }

  /**
   * Return how to call the login module to complete identity
   * assertion (where the identity asserter finds the user name
   * and the authenticator puts the user and its groups into the
   * subject).
   *
   * @return A null AppConfigurationEntry since the simple sample identity
   * asserter is not an authenticator (thus doesn't have a login module).
   */
  public AppConfigurationEntry getAssertionModuleConfiguration() {
    return null;
  }

  /**
   * Return an object that can validate principals (eg. users
   * and groups) that this provider puts into the subject.
   *
   * @return A null PrincipalValidator since the simple sample identity asserter
   * is not an authenticator (thus doesn't put principals into the subject).
   */
  public PrincipalValidator getPrincipalValidator() {
    return null;
  }

}