samltokenconsumer.java

开源的OpenId的一个java实现

package org.wso2.solutions.identity.relyingparty.saml;

import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMDocument;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.om.impl.dom.factory.OMDOMFactory;
import org.apache.axiom.om.util.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.DefaultBootstrap;
import org.opensaml.xml.ConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.wso2.solutions.identity.IdentityConstants;
import org.wso2.solutions.identity.i18n.Messages;
import org.wso2.solutions.identity.relyingparty.RelyingPartyException;
import org.wso2.solutions.identity.relyingparty.TokenVerifierConstants;
import org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyData;
import org.wso2.solutions.identity.util.IdentityUtil;

import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamReader;

import java.io.StringReader;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map.Entry;

public class SAMLTokenConsumer {
    
    private static Log log = LogFactory.getLog(SAMLTokenConsumer.class);
    private static Messages messages = Messages.getInstance(TokenVerifierConstants.RESOURCES);


    private static SAMLTokenConsumer consumer = null;

    static {
        try {
            DefaultBootstrap.bootstrap();
        } catch (ConfigurationException e) {
            log.error(messages.getMessage("SAMLTokenConsumerBootstrapFailure"),
                    e);
            throw new RuntimeException(e);
        }
    }

    private SAMLTokenConsumer() {

    }

    /**
     * Returns the SAMLTokenConsuer
     * 
     * @return
     */
    public static SAMLTokenConsumer getInstance() {
        if (consumer == null) {
            consumer = new SAMLTokenConsumer();
        }
        return consumer;
    }

    /**
     * The control flow is 1) Verify 2) Validate policies 3) Inject parameters
     * into the HttpServletRequest
     * 
     * @param request
     * @param xmlToken
     * @param data
     * @throws RelyingPartyException
     */
    public void setInfocardSessionAttributes(HttpServletRequest request,
            String xmlToken, RelyingPartyData data)
            throws RelyingPartyException {
        SAMLTokenVerifier verifier = new SAMLTokenVerifier();

        Element plainTokenElem = verifier.decryptToken(xmlToken, data
                .getPrivateKey());

        boolean isAllSuccess = false;

        if (verifier.verifyDecryptedToken(plainTokenElem, data)) {
            if (validateIssuerInfoPolicy(verifier, data)) {
                isAllSuccess = true;
            }
        }

        if (isAllSuccess == false) {
            injectDataToRequestOnFailure(verifier, request);
        } else {
            injectDataToRequestOnSuccess(verifier, request);
        }

    }

    /**
     * Validates issuer info
     * 
     * @param verifier
     * @return Whether issue validation successful or not.
     * @throws Exception
     */
    protected boolean validateIssuerInfoPolicy(SAMLTokenVerifier verifier,
            RelyingPartyData data) throws RelyingPartyException {
        boolean validated = false;
        String issuerName = verifier.getIssuerName();
        String issuerPolicy = data.getIssuerPolicy();

        try {
            if (IdentityConstants.SELF_ISSUED_ISSUER.equals(issuerName)) {

                if (issuerPolicy == null
                        || issuerPolicy
                                .equals(TokenVerifierConstants.SELF_ONLY)
                        || issuerPolicy
                                .equals(TokenVerifierConstants.SELF_AND_MANGED)) {
                    validated = true;
                }
            } else if (issuerPolicy.equals(TokenVerifierConstants.SELF_ONLY)) {
                // not a self issued card when self only
                validated = false;
            } else {
                validated = true;
            }
        } catch (Exception e) {
            throw new RelyingPartyException("errorValidatingIssuerPolicy", e);
        }

        return validated;
    }

    /**
     * When the data token is invalid, this method injects invalid status
     * message.
     * 
     * @param verifier
     * @param request
     */
    protected void injectDataToRequestOnFailure(SAMLTokenVerifier verifier,
            ServletRequest request) {

        request.setAttribute(TokenVerifierConstants.SERVLET_ATTR_STATE,
                TokenVerifierConstants.STATE_FAILURE);
    }

    /**
     * When the token is valid this method injects valid states message
     * 
     * @param verifier
     * @param request
     * @throws RelyingPartyException
     */
    protected void injectDataToRequestOnSuccess(SAMLTokenVerifier verifier,
            ServletRequest request) throws RelyingPartyException {

        request.setAttribute(TokenVerifierConstants.SERVLET_ATTR_STATE,
                TokenVerifierConstants.STATE_SUCCESS);

        String issuerInfo = getIssuerInfoString(verifier);
        if (issuerInfo != null) {
            request
                    .setAttribute(TokenVerifierConstants.ISSUER_INFO,
                            issuerInfo);
        }

        Iterator propertyEntry = verifier.getAttributeTable().entrySet()
                .iterator();
        while (propertyEntry.hasNext()) {
            Entry entry = (Entry) propertyEntry.next();
            String key = (String) entry.getKey();
            String value = (String) entry.getValue();
            request.setAttribute(key, value);
        }

    }

    protected String getIssuerInfoString(SAMLTokenVerifier verifier)
            throws RelyingPartyException {
        String issuerInfo = null;
        OMFactory factory = OMAbstractFactory.getOMFactory();
        OMNamespace ns = factory.createOMNamespace(TokenVerifierConstants.NS,
                TokenVerifierConstants.PREFIX);

        List certficates = verifier.getCertificates();
        Element keyInfo = verifier.getKeyInfoElement();
        OMElement certificates;
        OMElement omKeyInfo;
        try {
            Iterator ite = certficates.iterator();
            boolean siginingSet = false;
            certificates = null;
            OMElement certElem = null;
            while (ite.hasNext()) {
                X509Certificate cert = (X509Certificate) ite.next();
                byte[] encodedCert = cert.getEncoded();
                String base64Encoded = Base64.encode(encodedCert);
                if (certificates == null) {
                    certificates = factory.createOMElement(
                            TokenVerifierConstants.LN_CERTIFICATES, ns);
                }

                certElem = factory.createOMElement(
                        TokenVerifierConstants.LN_CERTIFICATE, ns);
                if (siginingSet == false) {
                    certElem.addAttribute(
                            TokenVerifierConstants.LN_SIGNING_CERT, "true",
                            null);
                    siginingSet = true;
                }
                certElem.setText(base64Encoded);
                certificates.addChild(certElem);
            }

            omKeyInfo = null;
            if (keyInfo != null) {
                
                String value = IdentityUtil.nodeToString(keyInfo);
                XMLStreamReader parser = XMLInputFactory.newInstance()
                        .createXMLStreamReader(new StringReader(value));
                StAXOMBuilder builder = new StAXOMBuilder(parser);
                omKeyInfo = builder.getDocumentElement();

            }
        } catch (Exception e) {
            throw new RelyingPartyException("errorBuildingIssuerInfo");
        }

        if (certificates != null) {
            issuerInfo = certificates.toString();
        }

        if (omKeyInfo != null) {
            if(issuerInfo != null) {
                issuerInfo = issuerInfo + omKeyInfo.toString();
            } else {
                issuerInfo = omKeyInfo.toString();
            }
        }

        return issuerInfo;
    }

}