From d99df2edfe4c51d68e77ec32620cfdf5285b0264 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 22 Jun 2015 14:37:38 +0200 Subject: Check StatusCode returned by IdP; set proper content type in requests to IdP; clean up imports and compact catch blocks --- .../edu/kit/scc/dei/ecplean/ECPAuthenticator.java | 79 ++++++++++------------ .../kit/scc/dei/ecplean/ECPAuthenticatorBase.java | 3 + 2 files changed, 40 insertions(+), 42 deletions(-) diff --git a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticator.java b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticator.java index f6d1bb7..4dfdb39 100644 --- a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticator.java +++ b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticator.java @@ -1,18 +1,15 @@ package edu.kit.scc.dei.ecplean; import java.io.IOException; -import java.io.UnsupportedEncodingException; import java.net.URI; import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.xpath.XPathConstants; import javax.xml.xpath.XPathException; import org.apache.http.HttpResponse; import org.apache.http.ParseException; -import org.apache.http.client.ClientProtocolException; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.StringEntity; @@ -20,6 +17,7 @@ import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.util.EntityUtils; import org.w3c.dom.Document; import org.w3c.dom.Node; +import org.w3c.dom.NodeList; import org.xml.sax.SAXException; public class ECPAuthenticator extends ECPAuthenticatorBase { @@ -27,7 +25,6 @@ public class ECPAuthenticator extends ECPAuthenticatorBase { public ECPAuthenticator(DefaultHttpClient client, String username, String password, URI idpEcpEndpoint, URI spUrl) { super(client); - authInfo = new ECPAuthenticationInfo(username, password, idpEcpEndpoint, spUrl); authInfo.setAuthState(ECPAuthState.NOT_STARTED); } @@ -56,13 +53,7 @@ public class ECPAuthenticator extends ECPAuthenticatorBase { try { httpResponse = client.execute(httpGet); responseBody = EntityUtils.toString(httpResponse.getEntity()); - } catch (ClientProtocolException e) { - logger.debug("Initial SP Request failed"); - throw new ECPAuthenticationException(e); - } catch (ParseException e) { - logger.debug("Initial SP Request failed"); - throw new ECPAuthenticationException(e); - } catch (IOException e) { + } catch (IOException | ParseException e) { logger.debug("Initial SP Request failed"); throw new ECPAuthenticationException(e); } @@ -70,13 +61,7 @@ public class ECPAuthenticator extends ECPAuthenticatorBase { Document initResponse; try { initResponse = buildDocumentFromString(responseBody); - } catch (IOException e) { - logger.debug("Parsing SP Request failed"); - throw new ECPAuthenticationException(e); - } catch (ParserConfigurationException e) { - logger.debug("Parsing SP Request failed"); - throw new ECPAuthenticationException(e); - } catch (SAXException e) { + } catch (IOException | SAXException | ParserConfigurationException e) { logger.debug("Parsing SP Request failed"); throw new ECPAuthenticationException(e); } @@ -102,11 +87,18 @@ public class ECPAuthenticator extends ECPAuthenticatorBase { initResponse.getDocumentElement().removeChild(firstChild); Document idpResponse = authenticateIdP(initResponse); + + String statusCode = getStatusCode(idpResponse); + + if (statusCode == null) + throw new ECPAuthenticationException("IdP returned no status code!!!x"); + if (!statusCode.endsWith(":Success") && !statusCode.endsWith(":success")) + throw new ECPAuthenticationException("IdP Returned StatusCode " + statusCode); String assertionConsumerUrl; try { assertionConsumerUrl = (String) queryDocument(idpResponse, "/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL", XPathConstants.STRING); - } catch (XPathException e) { + } catch (Exception e) { logger.debug("Could not find assertion consumer url in answer from IdP"); throw new ECPAuthenticationException(e); } @@ -121,26 +113,12 @@ public class ECPAuthenticator extends ECPAuthenticatorBase { logger.info("Sending Assertion to SP"); HttpPost httpPost = new HttpPost(assertionConsumerUrl); httpPost.setHeader("Content-Type", "application/vnd.paos+xml"); + httpPost.setHeader("PAOS", "ver='urn:liberty:paos:2003-08';'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'"); try { httpPost.setEntity(new StringEntity(documentToString(idpResponse))); httpResponse = client.execute(httpPost); responseBody = EntityUtils.toString(httpResponse.getEntity()); - } catch (UnsupportedEncodingException e) { - logger.debug("Could not post assertion back to SP"); - throw new ECPAuthenticationException(e); - } catch (TransformerConfigurationException e) { - logger.debug("Could not post assertion back to SP"); - throw new ECPAuthenticationException(e); - } catch (ClientProtocolException e) { - logger.debug("Could not post assertion back to SP"); - throw new ECPAuthenticationException(e); - } catch (ParseException e) { - logger.debug("Could not post assertion back to SP"); - throw new ECPAuthenticationException(e); - } catch (TransformerException e) { - logger.debug("Could not post assertion back to SP"); - throw new ECPAuthenticationException(e); - } catch (IOException e) { + } catch (TransformerException | IOException e) { logger.debug("Could not post assertion back to SP"); throw new ECPAuthenticationException(e); } @@ -152,16 +130,33 @@ public class ECPAuthenticator extends ECPAuthenticatorBase { responseBody = EntityUtils.toString(httpResponse.getEntity()); logger.info(responseBody); - } catch (ClientProtocolException e) { - logger.debug("Could not request original URL"); - throw new ECPAuthenticationException(e); - } catch (ParseException e) { - logger.debug("Could not request original URL"); - throw new ECPAuthenticationException(e); - } catch (IOException e) { + } catch (IOException | ParseException e) { logger.debug("Could not request original URL"); throw new ECPAuthenticationException(e); } } + + private String getStatusCode(Document idpResponse) { + NodeList nl; + try { + nl = (NodeList) queryDocument(idpResponse, "//*", XPathConstants.NODESET); + } catch (XPathException e) { + return null; + } + if (nl == null) + return null; + for (int i = 0; i < nl.getLength(); ++i) { + Node ns = nl.item(i); + if (!ns.getLocalName().endsWith("StatusCode")) + continue; + if (!ns.hasAttributes()) + continue; + Node val = ns.getAttributes().getNamedItem("Value"); + if (val == null) + continue; + return val.getNodeValue(); + } + return null; + } } diff --git a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java index 7e080f6..ff48afb 100644 --- a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java +++ b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java @@ -77,6 +77,9 @@ public abstract class ECPAuthenticatorBase extends Observable { try { httpPost.setEntity(new StringEntity(documentToString(idpRequest))); + httpPost.setHeader("Accept", "text/html; application/vnd.paos+xml"); + httpPost.setHeader("PAOS", "ver='urn:liberty:paos:2003-08';'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'"); + httpPost.setHeader("Content-Type", "application/vnd.paos+xml"); httpResponse = client.execute(httpPost); if (httpResponse.getStatusLine().getStatusCode() == HttpStatus.SC_UNAUTHORIZED) { -- cgit v1.2.3-55-g7522