Author: prabath
Date: Thu May 8 04:37:40 2008
New Revision: 16693
Log:
made OpenID to work with any realm + code review fixes + line length changed 100
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/IdentityProviderConstants.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/Initializer.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/UserStore.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/ClaimsAdmin.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/RealmConfigAdmin.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDProvider.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDAttributeExchange.java
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/IdentityProviderConstants.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/IdentityProviderConstants.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/IdentityProviderConstants.java
Thu May 8 04:37:40 2008
@@ -32,8 +32,7 @@
public static final String SERVER = "/server/";
public static final String HTTPS = "https://";;
public static final String HTTPS_PORT = "Ports.HTTPS";
- public static final String HOST_NAME = "HostName";
- public static final String AUTHENTICATED_AND_APPROVED =
"authenticatedAndApproved";
+ public static final String HOST_NAME = "HostName";
public static final String REQUESTED_ATTR = "RequestedAttr";
public static final String TRUE = "true";
public static final String PHISHING_RESISTANCE =
"phishingResistanceAuthentication";
@@ -194,7 +193,7 @@
public final static String USER_TRUSTED_RP_KEYSTORE_NAME = "userRP.jks";
- public final static String PARAM_NAME_ENABLE_OPENID_REGISTRATION =
"enableOpenIDReg";
+ public final static String PARAM_NAME_ENABLE_OPENID_LOGIN =
"enableOpenIDLogin";
/**
* Server Config data retrieval Strings.
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/Initializer.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/Initializer.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/Initializer.java
Thu May 8 04:37:40 2008
@@ -190,7 +190,7 @@
// Enable OpenID registration
paramAdmin
.createOrUpdatearameter(
-
IdentityProviderConstants.PARAM_NAME_ENABLE_OPENID_REGISTRATION,
+
IdentityProviderConstants.PARAM_NAME_ENABLE_OPENID_LOGIN,
null);
}
@@ -257,7 +257,8 @@
prop.setName("ColumnNames");
prop.setValue(IdentityProviderConstants.Sample.COLUMN_NAME_EMAIL + ","
+ IdentityProviderConstants.Sample.COLUMN_NAME_FIRSTNAME + ","
- + IdentityProviderConstants.Sample.COLUMN_NAME_LASTNAME);
+ + IdentityProviderConstants.Sample.COLUMN_NAME_LASTNAME + ","
+ + "OPENID");
db.create(prop);
}
@@ -336,7 +337,7 @@
claim.setRequired(true);
} else if (claim.getUri().equals(IdentityConstants.CLAIM_OPENID)) {
claim.setAttrId(IdentityConstants.CLAIM_OPENID);
- claim.setUserEditable(false);
+ claim.setUserEditable(true);
claimsAdmin.updateClaim(claim);
}
@@ -353,6 +354,7 @@
|| claim.getUri()
.equals(IdentityConstants.CLAIM_GIVEN_NAME)
|| claim.getUri().equals(IdentityConstants.CLAIM_SURNAME)
+ || claim.getUri().equals(IdentityConstants.CLAIM_OPENID)
|| claim.getUri().equals(IdentityConstants.CLAIM_PPID)) {
claim.setSupported(true);
claimsAdmin.updateClaim(claim);
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/UserStore.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/UserStore.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/UserStore.java
Thu May 8 04:37:40 2008
@@ -41,6 +41,7 @@
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.Map.Entry;
/**
* Interface to the user store.
@@ -218,10 +219,45 @@
e);
}
}
+
+ public Map<String, String> getClaimValues(String username)
+ throws IdentityProviderException {
+ try {
+ Map<String, String> propList = null;
+ Map<String, String> tempMap = null;
+ Map<String, String> map = new HashMap<String, String>();
+
+ UserStoreReader usReader = realm.getUserStoreReader();
+ tempMap = usReader.getUserProperties(username);
+
+ ClaimDO[] claims = new ClaimsAdmin().getAllEnabledClaims();
+
+ propList = new HashMap<String, String>();
+ for (int i = 0; i < claims.length; i++) {
+ propList.put(claims[i].getAttrId(),claims[i].getUri());
+ }
+
+ Iterator<Entry<String, String>> iterator = null;
+ Entry<String, String> entry = null;
+
+ iterator = tempMap.entrySet().iterator();
+
+ while (iterator.hasNext()) {
+ entry = iterator.next();
+ map.put(propList.get(entry.getKey()),entry.getValue());
+ }
+
+ return map;
+
+ } catch (UserManagerException e) {
+ throw new IdentityProviderException(
+ "errorExtractingUserProperties", new String[] { username },
+ e);
+ }
+ }
/**
* Access the name of user properties in the store.
- *
* @return A <code>java.util.List</code> of all user property names.
* @throws IdentityProviderException
*/
@@ -278,11 +314,20 @@
* @return
* @throws IdentityProviderException
*/
- public Map<String,String> getClaimValues(String username, String
profileName,
- List<String> propertyNames) throws IdentityProviderException {
+ public Map<String, String> getClaimValues(String username,
+ String profileName, List<String> propertyNames)
+ throws IdentityProviderException {
try {
- IdentityUserStoreReader usReader =
((IdentityDefaultRealm)realm).getIdentityUserStoreReader();
- return usReader.getUserProperties(username, profileName);
+
+ if (realm instanceof IdentityDefaultRealm) {
+ IdentityUserStoreReader usReader = ((IdentityDefaultRealm)
realm)
+ .getIdentityUserStoreReader();
+ return usReader.getUserProperties(username, profileName);
+ } else {
+ UserStoreReader usReader = realm.getUserStoreReader();
+ return usReader.getUserProperties(username);
+ }
+
} catch (UserManagerException e) {
throw new IdentityProviderException(
"errorExtractingUserProperties", new String[] { username },
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/ClaimsAdmin.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/ClaimsAdmin.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/ClaimsAdmin.java
Thu May 8 04:37:40 2008
@@ -143,7 +143,7 @@
//Disable all claims other that ppid
//when mappings are reset
- if (!claim.getUri().equals(IdentityConstants.CLAIM_PPID)) {
+ if (!claim.getUri().equals(IdentityConstants.CLAIM_PPID)&&
!claim.getUri().equals(IdentityConstants.CLAIM_OPENID)) {
claim.setSupported(false);
}
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/RealmConfigAdmin.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/RealmConfigAdmin.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/admin/RealmConfigAdmin.java
Thu May 8 04:37:40 2008
@@ -28,6 +28,7 @@
import org.wso2.solutions.identity.persistence.dataobject.RealmConfigurationDO;
import
org.wso2.solutions.identity.persistence.dataobject.RealmConfigurationPropertyDO;
import org.wso2.solutions.identity.persistence.dataobject.RealmDO;
+import org.wso2.solutions.identity.users.IdentityDefaultRealm;
import org.wso2.solutions.identity.users.wsas.WSASRealm;
import org.wso2.usermanager.custom.jdbc.JDBCRealm;
import org.wso2.usermanager.custom.ldap.LDAPRealm;
@@ -85,15 +86,9 @@
paramAdmin
.removeParam(IdentityProviderConstants.PARAM_NAME_ALLOW_USER_REGISTRATION);
}
-
- if (paramAdmin
-
.getParameter(IdentityProviderConstants.PARAM_NAME_ENABLE_OPENID_REGISTRATION)
!= null) {
- paramAdmin
-
.removeParam(IdentityProviderConstants.PARAM_NAME_ENABLE_OPENID_REGISTRATION);
- }
-
+
return true;
- } else if (realmClassName.equals(DefaultRealm.class.getName())) {
+ } else if
(realmClassName.equals(IdentityDefaultRealm.class.getName())) {
ParameterAdmin paramAdmin = new ParameterAdmin();
paramAdmin
.createOrUpdatearameter(
@@ -101,7 +96,7 @@
null);
paramAdmin
.createOrUpdatearameter(
-
IdentityProviderConstants.PARAM_NAME_ENABLE_OPENID_REGISTRATION,
+
IdentityProviderConstants.PARAM_NAME_ENABLE_OPENID_LOGIN,
null);
}
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDProvider.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDProvider.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDProvider.java
Thu May 8 04:37:40 2008
@@ -1,17 +1,12 @@
/*
- * Copyright 2005-2008 WSO2, Inc. (http://wso2.com)
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Copyright 2005-2008 WSO2, Inc. (http://wso2.com) Licensed under the Apache
+ * License, Version 2.0 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law
+ * or agreed to in writing, software distributed under the License is
+ * distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
*/
package org.wso2.solutions.identity.openid;
@@ -54,488 +49,479 @@
/**
* Handles functionality related OpenID association,
* authentication,checkid_immediate & checkid_setup.
- * check_authentication [POST] : Ask an Identity Provider if a message is
valid. For dumb, state-less
+ * check_authentication [POST] :
+ * Ask an Identity Provider if a message is valid. For dumb, state-less
* Consumers or when verifying an invalidate_handle response.
- * checkid_setup [GET] : Ask an Identity Provider if a End User owns the
Claimed Identifier, but be
- * willing to wait for the reply. The Consumer will pass the User-Agent to the
- * Identity Provider for a short period of time which will return either a
"yes"
- * or "cancel" answer.
- * checkid_immediate [GET] : Ask an Identity Provider if a End User owns the
Claimed Identifier,
- * getting back an immediate "yes" or "can't say" answer.
+ * checkid_setup [GET] :
+ * Ask an Identity Provider if a End User owns the Claimed Identifier,
+ * but be willing to wait for the reply. The Consumer will pass the User-Agent
+ * to the Identity Provider for a short period of time which will return either
+ * a "yes" or "cancel" answer.
+ * checkid_immediate [GET] :
+ * Ask an Identity Provider if a End User owns the Claimed Identifier, getting
back an immediate
+ * "yes" or "can't say" answer.
* associate [POST] : Establish a shared secret between Consumer and Identity
Provider
*/
public class OpenIDProvider {
- // Instantiate a ServerManager object.
- private ServerManager manager = new ServerManager();
+ // Instantiate a ServerManager object.
+ private ServerManager manager = new ServerManager();
- private String authPage;
- private String opAddress;
+ private String authPage;
+ private String opAddress;
- // Guaranteed to be thread safe
- private static OpenIDProvider provider = new OpenIDProvider();
- private static Log log = LogFactory.getLog(OpenIDProvider.class);
-
- /**
- * Configure the OpenID Provider's end-point URL
- */
- private OpenIDProvider() {
- ServerConfiguration serverConfig = null;
- String openIDServerUrl = null;
-
- serverConfig = ServerConfiguration.getInstance();
- openIDServerUrl = serverConfig
- .getFirstProperty(IdentityProviderConstants.OPENID_SERVER_URL);
-
- // This is the OpenID provider server URL
- opAddress = openIDServerUrl + IdentityProviderConstants.SERVER;
-
- // The URL which accepts OpenID Authentication requests, obtained by
- // performing discovery on the the User-Supplied Identifier. This value
- // must be an absolute URL
- manager.setOPEndpointUrl(opAddress);
- }
-
- // Return an instance of the OpenIDProvider
- public static OpenIDProvider getInstance() {
- return provider;
- }
-
- /**
- * This is the page the user will be redirected for authentication.
- * @param authPage Authentication page
- */
- public void setAuthPage(String authPage) {
-
- ServerConfiguration serverConfig = null;
- String host = null;
- String httpsPort = null;
-
- serverConfig = ServerConfiguration.getInstance();
-
- // Read the host name from the configuration file
- host = serverConfig
- .getFirstProperty(IdentityProviderConstants.HOST_NAME);
- // Read the port from the configuration file
- httpsPort = serverConfig
- .getFirstProperty(IdentityProviderConstants.HTTPS_PORT);
-
- // Should be always on HTTPS
- this.authPage = IdentityProviderConstants.HTTPS + host + ":"
- + httpsPort + "/" + authPage;
- }
-
- /**
- * @return OpenID Provider server URL.
- */
- public String getOpAddress() {
- return opAddress;
- }
-
- /**
- * @return ServerManager instance.
- */
- public ServerManager getManager() {
- return manager;
- }
-
- /**
- * Process the Relying Party request at the OpenID Provider end. Handles
- * functionality related OpenID association,
- * authentication,checkid_immediate & checkid_setup.
- * @param httpReq HttpServletRequest
- * @param httpResp HttpServletResponse
- * @return The URL to be redirected with requested parameters being
- * attached.
- * @throws IdentityProviderException Failed sending the direct response to
- * the OpenID consumer.
- */
- public String processRequest(HttpServletRequest httpReq,
- HttpServletResponse httpResp) throws IdentityProviderException {
-
- ParameterList request = null;
- Message message = null;
- String responseText = null;
- HttpSession session = null;
-
- try {
-
- if (httpReq == null || httpResp == null) {
- throw new IdentityProviderException(
- ErrorCodes.REQUIRED_ATTRIBUTE_MISSING);
- }
-
- session = httpReq.getSession();
-
- if (OpenId.COMPLETE.equals(httpReq.getParameter(OpenId.ACTION))
- || OpenId.CANCEL
- .equals(httpReq.getParameter(OpenId.ACTION))) {
- // Ready for authentication.
- request = (ParameterList) session
- .getAttribute(OpenId.PARAM_LIST);
- } else {
- // Extract the parameters from the request.
- // Authentication not completed.
- request = new ParameterList(httpReq.getParameterMap());
- }
-
- if (request == null) {
- responseText =
getErrorResponseText(ErrorCodes.INVALID_AUTHENTICATION_REQUEST);
- directResponse(httpResp, responseText);
- return null;
- }
-
- String mode = request.hasParameter(OpenId.ATTR_MODE) ? request
- .getParameterValue(OpenId.ATTR_MODE) : null;
-
- if (OpenId.ASSOCIATE.equals(mode)) {
- // Process an association request made by RP.
- // Description: Establish a shared secret between Consumer and
- // Identity Provider.
- // HTTP method: POST
- // Flow: Consumer -> IdP -> Consumer
- message = manager.associationResponse(request);
- responseText = message.keyValueFormEncoding();
- } else if (OpenId.CHECKID_SETUP.equals(mode)
- || OpenId.CHECKID_IMMEDIATE.equals(mode)) {
- // checkid_immediate
- // Description: Ask an Identity Provider if a End User owns the
- // Claimed Identifier, getting back an immediate "yes" or
"can't
- // say" answer.
- // HTTP method: GET
- // Flow: Consumer -> User-Agent -> IdP -> User-Agent ->
Consumer
-
- // checkid_setup
- // Description: Ask an Identity Provider if a End User owns the
- // Claimed Identifier, but be willing to wait for the reply.
The
- // Consumer will pass the User-Agent to the Identity Provider
- // for a short period of time which will return either a "yes"
- // or "cancel" answer.
- // HTTP method: GET
- // Flow: Consumer -> User-Agent -> [IdP -> User-Agent ->]+
- // Consumer
- return checkSetupOrImmediate(httpReq, httpResp, request);
- } else if (OpenId.CHECK_AUTHENTICATION.equals(mode)) {
- // Description: Ask an Identity Provider if a message is valid.
- // HTTP method: POST
- // Flow: Consumer -> IdP -> Consumer
- responseText = checkAuthentication(request);
- } else {
- // Error response - oops..!!! we did not get a valid OpenID
mode.
- responseText =
getErrorResponseText(ErrorCodes.UNKNOWN_REQUEST);
- }
-
- } catch (IOException e) {
- responseText = getErrorResponseText(e.getMessage());
- } catch (AssociationException assoc) {
- responseText = getErrorResponseText(assoc.getMessage());
- } catch (MessageException msgEx) {
- responseText = getErrorResponseText(msgEx.getMessage());
- } catch (ServerException serverEx) {
- responseText = getErrorResponseText(serverEx.getMessage());
- }
-
- try {
- // Return the result to the user.
- directResponse(httpResp, responseText);
- } catch (IOException e) {
- log.error(e.getMessage());
- throw new IdentityProviderException(
- ErrorCodes.OPENID_DIRECT_RESP_FAILED);
- }
-
- return null;
- }
-
- /**
- * checkid_immediate : Ask an Identity Provider if an End User owns the
- * Claimed Identifier, getting back an immediate "yes" or "can't say"
- * answer.
- * checkid_setup Description: Ask an Identity Provider if a End User
- * owns the Claimed Identifier, but be willing to wait for the reply. The
- * Consumer will pass the User-Agent to the Identity Provider for a short
- * period of time which will return either a "yes" or "cancel" answer.
- */
- private String checkSetupOrImmediate(HttpServletRequest httpReq,
- HttpServletResponse httpResp, ParameterList params)
- throws IdentityProviderException, ServerException,
- MessageException, AssociationException {
-
- boolean authenticatedAndApproved = false;
- String userSelectedClaimedId = null;
- String openId = null;
- String userId = null;
- Message message = null;
- HttpSession session = null;
- String returnTo = null;
- String profileName = null;
- String password = null;
-
- session = httpReq.getSession();
-
- /*
- * openid.mode : "checkid_immediate"
- * openid.identity : Claimed Identifier
- * openid.assoc_handle : The assoc_handle from the associate request.
- * openid.return_to : URL where the Provider SHOULD return the
User-Agent back to.
- * openid.trust_root : URL the Provider SHALL ask the End User to
trust.
- */
-
- openId = params.hasParameter(IdentityConstants.OpenId.ATTR_IDENTITY) ?
params
- .getParameterValue(IdentityConstants.OpenId.ATTR_IDENTITY)
- : null;
-
- if (openId == null)
- throw new IdentityProviderException(
- IdentityConstants.ErrorCodes.REQUIRED_ATTRIBUTE_MISSING);
-
- // Get user name corresponding to the given OpenID.
- userId = OpenIDUtil.getUserName(openId);
-
- password = (String) session.getAttribute(IdentityConstants.PASSWORD);
- session.removeAttribute(IdentityConstants.PASSWORD);
-
- if (httpReq
-
.getParameter(IdentityProviderConstants.AUTHENTICATED_AND_APPROVED) != null
- && IdentityProviderConstants.TRUE
- .equals(httpReq
-
.getParameter(IdentityProviderConstants.AUTHENTICATED_AND_APPROVED))) {
-
- if (OpenIDUtil.doLogin(userId, password)) {
-
- IPPersistenceManager persistenceManager = null;
- OpenIDUserRPDO[] rpdo = null;
-
- persistenceManager = IPPersistenceManager
- .getPersistanceManager();
- returnTo = params
-
.getParameterValue(IdentityConstants.OpenId.ATTR_RETURN_TO);
- // Get the default profile correponding to the authenticating
- // relying party.
- rpdo = persistenceManager.getOpenIDUserRP(userId, OpenIDUtil
- .getRelyingPartyUrl(returnTo));
- if (rpdo != null && rpdo.length > 0)
- profileName = rpdo[0].getDefaultProfileName();
-
- // Done - authenticated and approved.
- authenticatedAndApproved = true;
- }
- }
-
- // Process an authentication request.
- AuthRequest authReq = AuthRequest.createAuthRequest(params, manager
- .getRealmVerifier());
-
- List<String> requestedAttributes = null;
-
- if (IdentityConstants.OpenId.CANCEL.equals(httpReq
- .getParameter(IdentityConstants.OpenId.ACTION))) {
- authenticatedAndApproved = false;
- } else if (!authenticatedAndApproved) {
- // Not authenticated, redirect to the authentication
- // page.
- requestedAttributes = getRequestedAttributes(authReq);
- session.setAttribute(IdentityConstants.OpenId.PARAM_LIST, params);
- session.setAttribute(IdentityProviderConstants.REQUESTED_ATTR,
- requestedAttributes);
- return authPage;
- }
-
- // Clear the session
- session.removeAttribute(IdentityProviderConstants.REQUESTED_ATTR);
-
- String opLocalId = null;
-
- message = manager.authResponse(params, opLocalId,
- userSelectedClaimedId, authenticatedAndApproved);
-
- if (message instanceof DirectError || message instanceof AuthFailure) {
- // Validation fails - returns 'cancel'.
- return message.getDestinationUrl(true);
- } else {
- OpenIDExtension extension = null;
- OpenIDAuthenticationRequest req = null;
-
- req = new OpenIDAuthenticationRequest();
-
- if (IdentityProviderConstants.TRUE
- .equals(session
-
.getAttribute(IdentityProviderConstants.PHISHING_RESISTANCE))) {
- // Relying party requests Phishing-resistant login.
- req.setPhishingResistanceLogin(true);
- // Clear the session.
- session
-
.removeAttribute(IdentityProviderConstants.PHISHING_RESISTANCE);
- }
-
- if (IdentityProviderConstants.TRUE.equals(session
-
.getAttribute(IdentityProviderConstants.MULTI_FACTOR_AUTH))) {
- // Relying party requests Phishing-resistant login.
- req.setMultifactorLogin(true);
- // Clear the cache.
- session
-
.removeAttribute(IdentityProviderConstants.MULTI_FACTOR_AUTH);
- }
-
- req.setAuthRequest(authReq);
-
- boolean hasExtension = false;
- boolean hasSregExtension = false;
-
- // A given OpenID authentication request can contain multiple
- // extensions.
- // OpenIDProvider is not aware of extensions - we simply delegate
- // the extension processing logic to a subclass of OpenIDExtension.
- for (Object alias : authReq.getExtensions()) {
-
- req.setExtensionAlias((String) alias);
-
- // Get the corresponding OpenIDExtension instance from the
- // OpenIDExtensionFactory.
- extension = OpenIDExtensionFactory.getInstance().getExtension(
- req);
- if (extension != null) {
- MessageExtension messageExtension = null;
- messageExtension = extension.getMessageExtension(userId,
- profileName);
- if (messageExtension != null) {
- message.addExtension(messageExtension);
- AuthSuccess authSuccess = (AuthSuccess) message;
- authSuccess.setSignExtension((String) alias);
-
- if ((messageExtension instanceof SRegMessage)
- && req
- .getExtensionAlias()
- .equals(
-
IdentityConstants.OpenId.SimpleRegAttributes.NS_SREG)) {
- hasSregExtension = true;
- } else {
- hasExtension = true;
- }
- manager.sign(authSuccess);
- }
- }
- }
-
- if (hasSregExtension && !hasExtension) {
- // We only have SReg extensions.
- return message.getDestinationUrl(true);
- }
-
- // POST data.
- sendData(httpReq, httpResp, message);
- return null;
- }
- }
-
- /**
- * Ask an Identity Provider if a message is valid.
- * HTTP method: POST Flow:
- * Consumer -> IdP -> Consumer
- * @param params List of parameters from the OpenID authentication request
- * @return response text
- */
- private String checkAuthentication(ParameterList params) {
- Message message = null;
-
- /*
- openid.mode : "check_authentication"
- openid.assoc_handle : The association handle from checkid_setup
or checkid_immediate response.
- openid.sig : The signature from the checkid_setup or
checkid_immediate request the Consumer wishes to verify.
- openid.signed : The list of signed fields from the
checkid_setup or checkid_immediate request
- the Consumer wishes to verify the
signature of.
- openid.* : The Consumer MUST send all the openid.*
response parameters from the openid.signed
- list which they'd previously gotten back
from a checkid_setup or checkid_immediate request,
- with their values being exactly what were
returned from the Provider.
- openid.invalidate_handle : Optional; association handle returned via
invalidate_handle.
- */
-
- // Processing a verification request.
- message = manager.verify(params);
- return message.keyValueFormEncoding();
- }
-
- /**
- * Return the error response message based on the given message
- * @param message Error message
- * @return Direct error
- */
- private String getErrorResponseText(String message) {
- log.error(message);
- // Error response.
- return DirectError.createDirectError(message).keyValueFormEncoding();
- }
-
- /**
- * @param request OpenID authentication request.
- * @return A list of requested parameters.
- * @throws IdentityProviderException
- */
- private List<String> getRequestedAttributes(AuthRequest request)
- throws IdentityProviderException {
-
- OpenIDAuthenticationRequest req = null;
- OpenIDExtension extension = null;
- List<String> requiredAttributes = null;
-
- req = new OpenIDAuthenticationRequest();
- req.setAuthRequest(request);
- requiredAttributes = new ArrayList<String>();
-
- for (Object alias : request.getExtensions()) {
- req.setExtensionAlias((String) alias);
- extension = OpenIDExtensionFactory.getInstance().getExtension(req);
- if (extension != null) {
- extension.addRequiredAttributes(requiredAttributes);
- }
- }
-
- return requiredAttributes;
- }
-
- /**
- * Post data to the OpenID relying party.
- * @param httpReq HttpServletRequest
- * @param httpResp HttpServletResponse
- * @param message OpenID response message
- * @throws IdentityProviderException
- */
- private void sendData(HttpServletRequest httpReq,
- HttpServletResponse httpResp, Message message)
- throws IdentityProviderException {
-
- try {
- // HTML FORM Redirection
- RequestDispatcher dispatcher = httpReq
-
.getRequestDispatcher(IdentityProviderConstants.FORM_REDIRECTION);
- httpReq.setAttribute(IdentityProviderConstants.PARAM_MAP, message
- .getParameterMap());
- httpReq.setAttribute(IdentityProviderConstants.DESTINATION_URL,
- message.getDestinationUrl(false));
- dispatcher.forward(httpReq, httpResp);
- } catch (Exception e) {
- throw new IdentityProviderException(
- IdentityConstants.ErrorCodes.OPENID_RESP_GENERATION_FAILED,
- e);
- }
- }
-
- /**
- * Send a direct response to the RP.
- * @param httpResp HttpServletResponse
- * @param response Response message
- * @return
- * @throws IOException
- */
- private void directResponse(HttpServletResponse httpResp, String response)
- throws IOException {
- ServletOutputStream stream = null;
- try {
- stream = httpResp.getOutputStream();
- stream.write(response.getBytes());
- } finally {
- if (stream != null)
- stream.close();
- }
- }
+ // Guaranteed to be thread safe
+ private static OpenIDProvider provider = new OpenIDProvider();
+ private static Log log = LogFactory.getLog(OpenIDProvider.class);
+
+ /**
+ * Configure the OpenID Provider's end-point URL
+ */
+ private OpenIDProvider() {
+ ServerConfiguration serverConfig = null;
+ String openIDServerUrl = null;
+
+ serverConfig = ServerConfiguration.getInstance();
+ openIDServerUrl = serverConfig
+
.getFirstProperty(IdentityProviderConstants.OPENID_SERVER_URL);
+
+ // This is the OpenID provider server URL
+ opAddress = openIDServerUrl + IdentityProviderConstants.SERVER;
+
+ // The URL which accepts OpenID Authentication requests,
obtained by
+ // performing discovery on the the User-Supplied Identifier.
This value
+ // must be an absolute URL
+ manager.setOPEndpointUrl(opAddress);
+ }
+
+ // Return an instance of the OpenIDProvider
+ public static OpenIDProvider getInstance() {
+ return provider;
+ }
+
+ /**
+ * This is the page the user will be redirected for authentication.
+ *
+ * @param authPage Authentication page
+ */
+ public void setAuthPage(String authPage) {
+
+ ServerConfiguration serverConfig = null;
+ String host = null;
+ String httpsPort = null;
+
+ serverConfig = ServerConfiguration.getInstance();
+
+ // Read the host name from the configuration file
+ host =
serverConfig.getFirstProperty(IdentityProviderConstants.HOST_NAME);
+ // Read the port from the configuration file
+ httpsPort =
serverConfig.getFirstProperty(IdentityProviderConstants.HTTPS_PORT);
+
+ // Should be always on HTTPS
+ this.authPage = IdentityProviderConstants.HTTPS + host + ":" +
httpsPort + "/" + authPage;
+ }
+
+ /**
+ * @return OpenID Provider server URL.
+ */
+ public String getOpAddress() {
+ return opAddress;
+ }
+
+ /**
+ * @return ServerManager instance.
+ */
+ public ServerManager getManager() {
+ return manager;
+ }
+
+ /**
+ * Process the Relying Party request at the OpenID Provider end. Handles
+ * functionality related OpenID association,
+ * authentication,checkid_immediate & checkid_setup.
+ *
+ * @param httpReq HttpServletRequest
+ * @param httpResp HttpServletResponse
+ * @return The URL to be redirected with requested parameters being
+ * attached.
+ * @throws IdentityProviderException Failed sending the direct response
to
+ * the OpenID consumer.
+ */
+ public String processRequest(HttpServletRequest httpReq,
HttpServletResponse httpResp)
+ throws IdentityProviderException {
+
+ ParameterList request = null;
+ Message message = null;
+ String responseText = null;
+ HttpSession session = null;
+
+ try {
+
+ if (httpReq == null || httpResp == null) {
+ throw new
IdentityProviderException(ErrorCodes.REQUIRED_ATTRIBUTE_MISSING);
+ }
+
+ session = httpReq.getSession();
+
+ if
(OpenId.COMPLETE.equals(httpReq.getParameter(OpenId.ACTION))
+ ||
OpenId.CANCEL.equals(httpReq.getParameter(OpenId.ACTION))) {
+ // Ready for authentication.
+ request = (ParameterList)
session.getAttribute(OpenId.PARAM_LIST);
+ } else {
+ // Extract the parameters from the request.
+ // Authentication not completed.
+ request = new
ParameterList(httpReq.getParameterMap());
+ }
+
+ if (request == null) {
+ responseText =
getErrorResponseText(ErrorCodes.INVALID_AUTHENTICATION_REQUEST);
+ directResponse(httpResp, responseText);
+ return null;
+ }
+
+ String mode = request.hasParameter(OpenId.ATTR_MODE) ?
request
+ .getParameterValue(OpenId.ATTR_MODE) :
null;
+
+ if (OpenId.ASSOCIATE.equals(mode)) {
+ // Process an association request made by RP.
+ // Description: Establish a shared secret
between Consumer and
+ // Identity Provider.
+ // HTTP method: POST
+ // Flow: Consumer -> IdP -> Consumer
+ message = manager.associationResponse(request);
+ responseText = message.keyValueFormEncoding();
+ } else if (OpenId.CHECKID_SETUP.equals(mode) ||
OpenId.CHECKID_IMMEDIATE.equals(mode)) {
+ // checkid_immediate
+ // Description: Ask an Identity Provider if a
End User owns the
+ // Claimed Identifier, getting back an
immediate "yes" or "can't
+ // say" answer.
+ // HTTP method: GET
+ // Flow: Consumer -> User-Agent -> IdP ->
User-Agent -> Consumer
+
+ // checkid_setup
+ // Description: Ask an Identity Provider if a
End User owns the
+ // Claimed Identifier, but be willing to wait
for the reply. The
+ // Consumer will pass the User-Agent to the
Identity Provider
+ // for a short period of time which will return
either a "yes"
+ // or "cancel" answer.
+ // HTTP method: GET
+ // Flow: Consumer -> User-Agent -> [IdP ->
User-Agent ->]+
+ // Consumer
+ return checkSetupOrImmediate(httpReq, httpResp,
request);
+ } else if (OpenId.CHECK_AUTHENTICATION.equals(mode)) {
+ // Description: Ask an Identity Provider if a
message is valid.
+ // HTTP method: POST
+ // Flow: Consumer -> IdP -> Consumer
+ responseText = checkAuthentication(request);
+ } else {
+ // Error response - oops..!!! we did not get a
valid OpenID
+ // mode.
+ responseText =
getErrorResponseText(ErrorCodes.UNKNOWN_REQUEST);
+ }
+
+ } catch (IOException e) {
+ responseText = getErrorResponseText(e.getMessage());
+ } catch (AssociationException assoc) {
+ responseText = getErrorResponseText(assoc.getMessage());
+ } catch (MessageException msgEx) {
+ responseText = getErrorResponseText(msgEx.getMessage());
+ } catch (ServerException serverEx) {
+ responseText =
getErrorResponseText(serverEx.getMessage());
+ }
+
+ try {
+ // Return the result to the user.
+ directResponse(httpResp, responseText);
+ } catch (IOException e) {
+ log.error(e.getMessage());
+ throw new
IdentityProviderException(ErrorCodes.OPENID_DIRECT_RESP_FAILED);
+ }
+
+ return null;
+ }
+
+ /**
+ * checkid_immediate : Ask an Identity Provider if an End User owns the
+ * Claimed Identifier, getting back an immediate "yes" or "can't say"
+ * answer. checkid_setup Description: Ask an Identity Provider if a End
User
+ * owns the Claimed Identifier, but be willing to wait for the reply.
The
+ * Consumer will pass the User-Agent to the Identity Provider for a
short
+ * period of time which will return either a "yes" or "cancel" answer.
+ */
+ private String checkSetupOrImmediate(HttpServletRequest httpReq,
HttpServletResponse httpResp,
+ ParameterList params) throws IdentityProviderException,
ServerException,
+ MessageException, AssociationException {
+
+ boolean authenticatedAndApproved = false;
+ String userSelectedClaimedId = null;
+ String openId = null;
+ String userId = null;
+ Message message = null;
+ HttpSession session = null;
+ String returnTo = null;
+ String profileName = null;
+ String password = null;
+ String infoCardLogin = null;
+
+ session = httpReq.getSession();
+
+ /*
+ * openid.mode : "checkid_immediate" openid.identity : Claimed
+ * Identifier openid.assoc_handle : The assoc_handle from the
associate
+ * request. openid.return_to : URL where the Provider SHOULD
return the
+ * User-Agent back to. openid.trust_root : URL the Provider
SHALL ask
+ * the End User to trust.
+ */
+
+ openId =
params.hasParameter(IdentityConstants.OpenId.ATTR_IDENTITY) ? params
+
.getParameterValue(IdentityConstants.OpenId.ATTR_IDENTITY) : null;
+
+ if (openId == null)
+ throw new IdentityProviderException(
+
IdentityConstants.ErrorCodes.REQUIRED_ATTRIBUTE_MISSING);
+
+ // Get user name corresponding to the given OpenID.
+ userId = OpenIDUtil.getUserName(openId);
+
+ password = (String)
session.getAttribute(IdentityConstants.PASSWORD);
+ session.removeAttribute(IdentityConstants.PASSWORD);
+
+ infoCardLogin = (String)
session.getAttribute(IdentityConstants.INFOCARD_LOGIN);
+ session.removeAttribute(IdentityConstants.INFOCARD_LOGIN);
+
+ if (httpReq.getParameter(IdentityConstants.USER_APPROVED) !=
null
+ && IdentityProviderConstants.TRUE.equals(httpReq
+
.getParameter(IdentityConstants.USER_APPROVED))) {
+
+ if
(IdentityConstants.INFOCARD_LOGIN.equals(infoCardLogin)
+ || OpenIDUtil.doLogin(userId,
password)) {
+
+ IPPersistenceManager persistenceManager = null;
+ OpenIDUserRPDO[] rpdo = null;
+
+ persistenceManager =
IPPersistenceManager.getPersistanceManager();
+ returnTo =
params.getParameterValue(IdentityConstants.OpenId.ATTR_RETURN_TO);
+ // Get the default profile correponding to the
authenticating
+ // relying party.
+ rpdo =
persistenceManager.getOpenIDUserRP(userId, OpenIDUtil
+ .getRelyingPartyUrl(returnTo));
+ if (rpdo != null && rpdo.length > 0)
+ profileName =
rpdo[0].getDefaultProfileName();
+
+ // Done - authenticated and approved.
+ authenticatedAndApproved = true;
+ }
+ }
+
+ // Process an authentication request.
+ AuthRequest authReq = AuthRequest.createAuthRequest(params,
manager.getRealmVerifier());
+
+ List<String> requestedAttributes = null;
+
+ if (IdentityConstants.OpenId.CANCEL.equals(httpReq
+
.getParameter(IdentityConstants.OpenId.ACTION))) {
+ authenticatedAndApproved = false;
+ } else if (!authenticatedAndApproved) {
+ // Not authenticated, redirect to the authentication
+ // page.
+ requestedAttributes = getRequestedAttributes(authReq);
+
session.setAttribute(IdentityConstants.OpenId.PARAM_LIST, params);
+
session.setAttribute(IdentityProviderConstants.REQUESTED_ATTR,
requestedAttributes);
+ return authPage;
+ }
+
+ // Clear the session
+
session.removeAttribute(IdentityProviderConstants.REQUESTED_ATTR);
+
+ String opLocalId = null;
+
+ message = manager.authResponse(params, opLocalId,
userSelectedClaimedId,
+ authenticatedAndApproved);
+
+ if (message instanceof DirectError || message instanceof
AuthFailure) {
+ // Validation fails - returns 'cancel'.
+ return message.getDestinationUrl(true);
+ } else {
+ OpenIDExtension extension = null;
+ OpenIDAuthenticationRequest req = null;
+
+ req = new OpenIDAuthenticationRequest();
+
+ if (IdentityProviderConstants.TRUE.equals(session
+
.getAttribute(IdentityProviderConstants.PHISHING_RESISTANCE))) {
+ // Relying party requests Phishing-resistant
login.
+ req.setPhishingResistanceLogin(true);
+ // Clear the session.
+
session.removeAttribute(IdentityProviderConstants.PHISHING_RESISTANCE);
+ }
+
+ if (IdentityProviderConstants.TRUE.equals(session
+
.getAttribute(IdentityProviderConstants.MULTI_FACTOR_AUTH))) {
+ // Relying party requests Phishing-resistant
login.
+ req.setMultifactorLogin(true);
+ // Clear the cache.
+
session.removeAttribute(IdentityProviderConstants.MULTI_FACTOR_AUTH);
+ }
+
+ req.setAuthRequest(authReq);
+
+ boolean hasExtension = false;
+ boolean hasSregExtension = false;
+
+ // A given OpenID authentication request can contain
multiple
+ // extensions.
+ // OpenIDProvider is not aware of extensions - we
simply delegate
+ // the extension processing logic to a subclass of
OpenIDExtension.
+ for (Object alias : authReq.getExtensions()) {
+
+ req.setExtensionAlias((String) alias);
+
+ // Get the corresponding OpenIDExtension
instance from the
+ // OpenIDExtensionFactory.
+ extension =
OpenIDExtensionFactory.getInstance().getExtension(req);
+ if (extension != null) {
+ MessageExtension messageExtension =
null;
+ messageExtension =
extension.getMessageExtension(userId, profileName);
+ if (messageExtension != null) {
+
message.addExtension(messageExtension);
+ AuthSuccess authSuccess =
(AuthSuccess) message;
+
authSuccess.setSignExtension((String) alias);
+
+ if ((messageExtension
instanceof SRegMessage)
+ &&
req.getExtensionAlias().equals(
+
IdentityConstants.OpenId.SimpleRegAttributes.NS_SREG)) {
+ hasSregExtension = true;
+ } else {
+ hasExtension = true;
+ }
+ manager.sign(authSuccess);
+ }
+ }
+ }
+
+ if (hasSregExtension && !hasExtension) {
+ // We only have SReg extensions.
+ return message.getDestinationUrl(true);
+ }
+
+ // POST data.
+ sendData(httpReq, httpResp, message);
+ return null;
+ }
+ }
+
+ /**
+ * Ask an Identity Provider if a message is valid. HTTP method: POST
Flow:
+ * Consumer -> IdP -> Consumer
+ *
+ * @param params List of parameters from the OpenID authentication
request
+ * @return response text
+ */
+ private String checkAuthentication(ParameterList params) {
+ Message message = null;
+
+ /*
+ * openid.mode : "check_authentication"
+ * openid.assoc_handle : The association handle from
checkid_setup or
+ * checkid_immediate response.
+ * openid.sig : The signature from the
checkid_setup or checkid_immediate
+ * request the Consumer wishes to
verify.
+ * openid.signed : The list of signed fields from
the checkid_setup or
+ * checkid_immediate request the
Consumer wishes to verify the
+ * signature of.
+ * openid.* : The Consumer MUST send all the
openid.* response parameters
+ * from the openid.signed list which
they'd previously gotten
+ * back from a checkid_setup or
checkid_immediate request, with
+ * their values being exactly what
were returned from
+ * the Provider.
+ * openid.invalidate_handle : Optional; association handle
returned via invalidate_handle.
+ */
+
+ // Processing a verification request.
+ message = manager.verify(params);
+ return message.keyValueFormEncoding();
+ }
+
+ /**
+ * Return the error response message based on the given message
+ *
+ * @param message Error message
+ * @return Direct error
+ */
+ private String getErrorResponseText(String message) {
+ log.error(message);
+ // Error response.
+ return
DirectError.createDirectError(message).keyValueFormEncoding();
+ }
+
+ /**
+ * @param request OpenID authentication request.
+ * @return A list of requested parameters.
+ * @throws IdentityProviderException
+ */
+ private List<String> getRequestedAttributes(AuthRequest request)
+ throws IdentityProviderException {
+
+ OpenIDAuthenticationRequest req = null;
+ OpenIDExtension extension = null;
+ List<String> requiredAttributes = null;
+
+ req = new OpenIDAuthenticationRequest();
+ req.setAuthRequest(request);
+ requiredAttributes = new ArrayList<String>();
+
+ for (Object alias : request.getExtensions()) {
+ req.setExtensionAlias((String) alias);
+ extension =
OpenIDExtensionFactory.getInstance().getExtension(req);
+ if (extension != null) {
+
extension.addRequiredAttributes(requiredAttributes);
+ }
+ }
+
+ return requiredAttributes;
+ }
+
+ /**
+ * Post data to the OpenID relying party.
+ *
+ * @param httpReq HttpServletRequest
+ * @param httpResp HttpServletResponse
+ * @param message OpenID response message
+ * @throws IdentityProviderException
+ */
+ private void sendData(HttpServletRequest httpReq, HttpServletResponse
httpResp, Message message)
+ throws IdentityProviderException {
+
+ try {
+ // HTML FORM Redirection
+ RequestDispatcher dispatcher = httpReq
+
.getRequestDispatcher(IdentityProviderConstants.FORM_REDIRECTION);
+
httpReq.setAttribute(IdentityProviderConstants.PARAM_MAP,
message.getParameterMap());
+
httpReq.setAttribute(IdentityProviderConstants.DESTINATION_URL, message
+ .getDestinationUrl(false));
+ dispatcher.forward(httpReq, httpResp);
+ } catch (Exception e) {
+ throw new IdentityProviderException(
+
IdentityConstants.ErrorCodes.OPENID_RESP_GENERATION_FAILED, e);
+ }
+ }
+
+ /**
+ * Send a direct response to the RP.
+ *
+ * @param httpResp HttpServletResponse
+ * @param response Response message
+ * @return
+ * @throws IOException
+ */
+ private void directResponse(HttpServletResponse httpResp, String
response) throws IOException {
+ ServletOutputStream stream = null;
+ try {
+ stream = httpResp.getOutputStream();
+ stream.write(response.getBytes());
+ } finally {
+ if (stream != null)
+ stream.close();
+ }
+ }
}
\ No newline at end of file
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/OpenIDUtil.java
Thu May 8 04:37:40 2008
@@ -115,7 +115,7 @@
while (iterator.hasNext()) {
String user = iterator.next();
- mapValues = userStore.getClaimValues(user, null);
+ mapValues = userStore.getClaimValues(user);
if (mapValues != null && !mapValues.isEmpty()) {
// User has defined claims!
@@ -331,7 +331,7 @@
while (iterator.hasNext()) {
String user = iterator.next();
- mapValues = userStore.getClaimValues(user, null);
+ mapValues = userStore.getClaimValues(user);
if (mapValues != null && !mapValues.isEmpty()) {
if (user.equals(userName)) {
Modified:
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDAttributeExchange.java
==============================================================================
---
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDAttributeExchange.java
(original)
+++
trunk/solutions/identity/modules/identity-provider/src/main/java/org/wso2/solutions/identity/openid/extensions/OpenIDAttributeExchange.java
Thu May 8 04:37:40 2008
@@ -131,7 +131,7 @@
entry = iterator.next();
val = getMappedAxSchema((String) entry.getValue());
tag = claimsAdmin.getMappedOpenIDTag(val);
- if (tag != null) {
+ if (tag != null && claims.get(tag) != null) {
claims.get(tag).setUri((String) entry.getValue());
map.put(tag, (String) entry.getKey());
}
@@ -244,7 +244,7 @@
entry = iterator.next();
val = getMappedAxSchema((String) entry.getValue());
tag = claimsAdmin.getMappedOpenIDTag(val);
- if (tag != null) {
+ if (tag != null && claims.get(tag)!=null) {
claims.get(tag).setUri((String) entry.getValue());
map.put(tag, (String) entry.getKey());
}
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
