in plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java [144:242]
protected FedizResponse processSignInRequest(FedizRequest request, FedizContext config) throws ProcessingException {
SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
RequestState requestState =
processRelayState(request.getState(), request.getRequestState(), config);
final XMLObject responseObject = getXMLObjectFromToken(request.getResponseToken(),
protocol.isDisableDeflateEncoding());
if (!(responseObject instanceof org.opensaml.saml.saml2.core.Response)) {
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
// Decrypt encrypted assertions
decryptEncryptedAssertions((org.opensaml.saml.saml2.core.Response) responseObject, config);
// Validate the Response
validateSamlResponseProtocol((org.opensaml.saml.saml2.core.Response)responseObject, config);
SSOValidatorResponse ssoValidatorResponse =
validateSamlSSOResponse((org.opensaml.saml.saml2.core.Response)responseObject,
request.getRequest(), requestState, config);
// Validate the internal assertion(s)
TokenValidatorResponse validatorResponse = null;
List<Assertion> assertions = ((org.opensaml.saml.saml2.core.Response)responseObject).getAssertions();
if (assertions.isEmpty()) {
LOG.debug("No Assertion extracted from SAML Response");
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
Element token = assertions.get(0).getDOM();
List<TokenValidator> validators = protocol.getTokenValidators();
for (TokenValidator validator : validators) {
boolean canHandle = validator.canHandleToken(token);
if (canHandle) {
try {
TokenValidatorRequest validatorRequest =
new TokenValidatorRequest(token, request.getCerts());
boolean doNotEnforceAssertionsSigned =
((SAMLProtocol)config.getProtocol()).isDoNotEnforceEncryptedAssertionsSigned()
&& !((org.opensaml.saml.saml2.core.Response)responseObject).getEncryptedAssertions()
.isEmpty();
validatorRequest.setEnforceTokenSigned(!doNotEnforceAssertionsSigned);
validatorResponse = validator.validateAndProcessToken(validatorRequest, config);
} catch (ProcessingException ex) {
throw ex;
} catch (Exception ex) {
LOG.warn("Failed to validate token", ex);
throw new ProcessingException(TYPE.TOKEN_INVALID);
}
break;
} else {
LOG.warn("No security token validator found for '" + token.getLocalName() + "'");
throw new ProcessingException(TYPE.BAD_REQUEST);
}
}
if (validatorResponse == null) {
LOG.warn("No token validation response was available");
throw new ProcessingException(TYPE.BAD_REQUEST);
}
// Check whether token already used for signin
Instant expires = validatorResponse.getExpires();
if (expires == null) {
expires = ssoValidatorResponse.getSessionNotOnOrAfter();
}
testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
List<Claim> claims = validatorResponse.getClaims();
testForMandatoryClaims(config.getProtocol().getRoleURI(),
config.getProtocol().getClaimTypesRequested(),
claims);
if (config.getClaimsProcessor() != null) {
List<ClaimsProcessor> processors = config.getClaimsProcessor();
if (processors != null) {
for (ClaimsProcessor cp : processors) {
LOG.debug("invoking ClaimsProcessor {}", cp);
claims = cp.processClaims(claims);
}
}
}
List<String> roles = getRoles(claims, config.getProtocol().getRoleURI());
FedizResponse fedResponse = new FedizResponse(
validatorResponse.getUsername(), validatorResponse.getIssuer(),
roles, claims,
validatorResponse.getAudience(),
validatorResponse.getCreated(),
expires,
token,
validatorResponse.getUniqueTokenId());
return fedResponse;
}