[PLINK2-85] - Support SessionIndex when issuing assertions and logout…

… requests
picketlink · May 28, 2013 · 0769fb8 · 0769fb8
1 parent 40ad6e8
commit 0769fb8
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 56 deletions.
diff --git a/.../main/java/org/picketlink/identity/federation/core/parsers/saml/SAMLSloRequestParser.java b/.../main/java/org/picketlink/identity/federation/core/parsers/saml/SAMLSloRequestParser.java
@@ -1,19 +1,23 @@
 /*
- * JBoss, Home of Professional Open Source
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
  *
- * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 package org.picketlink.identity.federation.core.parsers.saml;
 
@@ -25,11 +29,11 @@
 import javax.xml.stream.events.Attribute;
 import javax.xml.stream.events.StartElement;
 
+import org.picketlink.common.constants.JBossSAMLConstants;
 import org.picketlink.common.exceptions.ParsingException;
 import org.picketlink.common.parsers.ParserNamespaceSupport;
-import org.picketlink.identity.federation.core.parsers.util.SAMLParserUtil;
 import org.picketlink.common.util.StaxParserUtil;
-import org.picketlink.common.constants.JBossSAMLConstants;
+import org.picketlink.identity.federation.core.parsers.util.SAMLParserUtil;
 import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
 import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
 import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
@@ -67,7 +71,7 @@ public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
 
             if (JBossSAMLConstants.SESSION_INDEX.get().equals(elementName)) {
                 startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
-                logoutRequest.getSessionIndex().add(StaxParserUtil.getElementText(xmlEventReader));
+                logoutRequest.addSessionIndex(StaxParserUtil.getElementText(xmlEventReader));
             } else if (JBossSAMLConstants.NAMEID.get().equals(elementName)) {
                 NameIDType nameID = SAMLParserUtil.parseNameIDType(xmlEventReader);
                 logoutRequest.setNameID(nameID);

diff --git a/...ain/java/org/picketlink/identity/federation/core/saml/v2/writers/SAMLAssertionWriter.java b/...ain/java/org/picketlink/identity/federation/core/saml/v2/writers/SAMLAssertionWriter.java
@@ -1,19 +1,19 @@
 /*
- * JBoss, Home of Professional Open Source
+ * JBoss, Home of Professional Open Source. Copyright 2008, Red Hat Middleware LLC, and individual contributors as
+ * indicated by the @author tags. See the copyright.txt file in the distribution for a full listing of individual
+ * contributors.
  *
- * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ * This is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any
+ * later version.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * You should have received a copy of the GNU Lesser General Public License along with this software; if not, write to
+ * the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF site:
+ * http://www.fsf.org.
  */
 package org.picketlink.identity.federation.core.saml.v2.writers;
 
@@ -29,11 +29,11 @@
 
 import org.jboss.security.xacml.core.model.context.RequestType;
 import org.jboss.security.xacml.core.model.context.ResponseType;
-import org.picketlink.common.exceptions.ProcessingException;
 import org.picketlink.common.constants.JBossSAMLConstants;
 import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.identity.federation.core.saml.v2.util.SAMLXACMLUtil;
+import org.picketlink.common.exceptions.ProcessingException;
 import org.picketlink.common.util.StaxUtil;
+import org.picketlink.identity.federation.core.saml.v2.util.SAMLXACMLUtil;
 import org.picketlink.identity.federation.saml.v2.assertion.AdviceType;
 import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
 import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
@@ -199,6 +199,12 @@ public void write(AuthnStatementType authnStatement) throws ProcessingException
         if (authnInstant != null) {
             StaxUtil.writeAttribute(writer, JBossSAMLConstants.AUTHN_INSTANT.get(), authnInstant.toString());
         }
+
+        String sessionIndex = authnStatement.getSessionIndex();
+
+        if (sessionIndex != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.SESSION_INDEX.get(), sessionIndex);
+        }
 
         AuthnContextType authnContext = authnStatement.getAuthnContext();
         if (authnContext != null)

diff --git a/.../main/java/org/picketlink/identity/federation/core/saml/v2/writers/SAMLRequestWriter.java b/.../main/java/org/picketlink/identity/federation/core/saml/v2/writers/SAMLRequestWriter.java
@@ -1,22 +1,27 @@
 /*
- * JBoss, Home of Professional Open Source
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
  *
- * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 package org.picketlink.identity.federation.core.saml.v2.writers;
 
+import static org.picketlink.common.constants.JBossSAMLConstants.SESSION_INDEX;
 import static org.picketlink.common.constants.JBossSAMLURIConstants.ASSERTION_NSURI;
 import static org.picketlink.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI;
 
@@ -31,15 +36,15 @@
 
 import org.jboss.security.xacml.core.model.context.ObjectFactory;
 import org.jboss.security.xacml.core.model.context.RequestType;
+import org.picketlink.common.constants.JBossSAMLConstants;
+import org.picketlink.common.constants.JBossSAMLURIConstants;
 import org.picketlink.common.exceptions.ConfigurationException;
 import org.picketlink.common.exceptions.ParsingException;
 import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.common.constants.JBossSAMLConstants;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
 import org.picketlink.common.util.DocumentUtil;
-import org.picketlink.identity.federation.core.util.JAXBUtil;
 import org.picketlink.common.util.StaxUtil;
 import org.picketlink.common.util.StringUtil;
+import org.picketlink.identity.federation.core.util.JAXBUtil;
 import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
 import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
 import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
@@ -180,6 +185,17 @@ public void write(LogoutRequestType logOutRequest) throws ProcessingException {
         if (nameID != null) {
             write(nameID, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.NAMEID.get(), ASSERTION_PREFIX));
         }
+
+        List<String> sessionIndexes = logOutRequest.getSessionIndex();
+
+        for (String sessionIndex : sessionIndexes) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SESSION_INDEX.get(), PROTOCOL_NSURI.get());
+
+            StaxUtil.writeCharacters(writer, sessionIndex);
+
+            StaxUtil.writeEndElement(writer);
+            StaxUtil.flush(writer);
+        }
 
         StaxUtil.writeEndElement(writer);
         StaxUtil.flush(writer);

diff --git a/...c/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java b/...c/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2LogOutHandler.java
@@ -1,25 +1,30 @@
 /*
- * JBoss, Home of Professional Open Source
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
  *
- * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 package org.picketlink.identity.federation.web.handlers.saml2;
 
 import java.net.URI;
 import java.security.Principal;
 import java.util.Map;
+import java.util.Set;
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
@@ -46,9 +51,12 @@
 import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
 import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
 import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
 import org.picketlink.identity.federation.saml.v2.SAML2Object;
 import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
+import org.picketlink.identity.federation.saml.v2.assertion.AuthnStatementType;
 import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
+import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
 import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
 import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
 import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
@@ -57,6 +65,7 @@
 import org.picketlink.identity.federation.saml.v2.protocol.StatusType;
 import org.picketlink.identity.federation.web.core.HTTPContext;
 import org.picketlink.identity.federation.web.core.IdentityServer;
+import org.w3c.dom.Document;
 
 /**
  * SAML2 LogOut Profile
@@ -371,13 +380,40 @@ public void generateSAMLRequest(SAML2HandlerRequest request, SAML2HandlerRespons
 
                 lot.setDestination(URI.create(logoutUrl));
 
+                populateSessionIndex(httpRequest, lot);
+
                 response.setResultingDocument(samlRequest.convert(lot));
                 response.setSendRequest(true);
             } catch (Exception e) {
                 throw logger.processingError(e);
             }
         }
 
+        private void populateSessionIndex(HttpServletRequest httpRequest, LogoutRequestType lot) throws ProcessingException,
+                ConfigurationException, ParsingException {
+            Document currentAssertion = (Document) httpRequest.getSession().getAttribute(GeneralConstants.ASSERTION_SESSION_ATTRIBUTE_NAME);
+
+            if (currentAssertion != null) {
+                AssertionType assertionType = SAMLUtil.fromElement(currentAssertion.getDocumentElement());
+
+                Set<StatementAbstractType> statements = assertionType.getStatements();
+
+                for (StatementAbstractType statementAbstractType : statements) {
+                    if (AuthnStatementType.class.isInstance(statementAbstractType)) {
+                        AuthnStatementType authnStatement = (AuthnStatementType) statementAbstractType;
+
+                        String sessionIndex = authnStatement.getSessionIndex();
+
+                        if (sessionIndex != null) {
+                            lot.addSessionIndex(sessionIndex);
+                        }
+
+                        break;
+                    }
+                }
+            }
+        }
+
         public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response)
                 throws ProcessingException {
             // Handler a log out response from IDP