[507] | 1 | package xwss.saml;
|
---|
| 2 |
|
---|
| 3 | import com.sun.org.apache.xml.internal.security.keys.KeyInfo;
|
---|
| 4 | import com.sun.xml.wss.XWSSecurityException;
|
---|
| 5 | import java.io.*;
|
---|
| 6 | import java.security.KeyStoreException;
|
---|
| 7 | import java.security.NoSuchAlgorithmException;
|
---|
| 8 | import java.security.UnrecoverableKeyException;
|
---|
| 9 | import java.security.cert.CertificateException;
|
---|
| 10 | import java.util.*;
|
---|
| 11 |
|
---|
| 12 | import java.security.KeyStore;
|
---|
| 13 | import java.security.PrivateKey;
|
---|
| 14 | import java.security.PublicKey;
|
---|
| 15 | import java.security.cert.X509Certificate;
|
---|
| 16 | import java.security.cert.Certificate;
|
---|
| 17 | import javax.security.auth.callback.Callback;
|
---|
| 18 | import javax.security.auth.callback.CallbackHandler;
|
---|
| 19 | import javax.security.auth.callback.UnsupportedCallbackException;
|
---|
| 20 | import com.sun.xml.wss.impl.callback.*;
|
---|
| 21 | import com.sun.xml.wss.saml.*;
|
---|
| 22 | import javax.xml.parsers.DocumentBuilderFactory;
|
---|
| 23 | import javax.xml.parsers.ParserConfigurationException;
|
---|
| 24 | import org.w3c.dom.*;
|
---|
| 25 | import gov.hhs.fha.nhinc.token.InternalTokenMgr;
|
---|
| 26 | import java.text.ParseException;
|
---|
| 27 | import java.text.SimpleDateFormat;
|
---|
| 28 | //import javax.mail.internet.AddressException;
|
---|
| 29 | //import javax.mail.internet.InternetAddress;
|
---|
| 30 | import javax.security.auth.x500.X500Principal;
|
---|
| 31 | import org.apache.commons.logging.Log;
|
---|
| 32 | import org.apache.commons.logging.LogFactory;
|
---|
| 33 |
|
---|
| 34 | /**
|
---|
| 35 | * This class implements the CallbackHandler which is invoked upon sending a
|
---|
| 36 | * message requiring the SAML Assertion Token. It accessed the information from
|
---|
| 37 | * the storage file in order to build up the required token elements.
|
---|
| 38 | */
|
---|
| 39 | public class SamlCallbackHandler implements CallbackHandler {
|
---|
| 40 |
|
---|
| 41 | private static Log log = LogFactory.getLog(SamlCallbackHandler.class);
|
---|
| 42 | private static final String AUTHN_DECISION = "Permit";
|
---|
| 43 | private static final String EVIDENCE_FORM_TYPE = "application/pdf";
|
---|
| 44 | public static final String HOK_CONFIRM = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
|
---|
| 45 | public static final String SV_CONFIRM = "urn:oasis:names:tc:SAML:2.0:cm:authorization-over-ssl";
|
---|
| 46 | private static final String X509_ID = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName";
|
---|
| 47 | private static final String WIN_ID = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName";
|
---|
| 48 | private static final String UNSPECIFIED = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
|
---|
| 49 | private static final String X509_AUTHN_CNTX_CLS = "urn:oasis:names:tc:SAML:2.0:ac:classes:X509";
|
---|
| 50 | private static final String NHIN_NS = "http://www.hhs.gov/healthit/nhin";
|
---|
| 51 | private static final int defaultName = 0;
|
---|
| 52 | private static final int primaryName = 1;
|
---|
| 53 | private Properties tokenVals;
|
---|
| 54 | private KeyStore keyStore;
|
---|
| 55 | private KeyStore trustStore;
|
---|
| 56 | private static final String storeType = "JKS";
|
---|
| 57 | private static Element svAssertion;
|
---|
| 58 | private static Element hokAssertion20;
|
---|
| 59 |
|
---|
| 60 |
|
---|
| 61 | static {
|
---|
| 62 | //WORKAROUND NEEDED IN METRO1.4. TO BE REMOVED LATER.
|
---|
| 63 | javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
|
---|
| 64 | new javax.net.ssl.HostnameVerifier() {
|
---|
| 65 |
|
---|
| 66 | public boolean verify(String hostname,
|
---|
| 67 | javax.net.ssl.SSLSession sslSession) {
|
---|
| 68 | return true;
|
---|
| 69 | }
|
---|
| 70 | });
|
---|
| 71 | }
|
---|
| 72 |
|
---|
| 73 | /**
|
---|
| 74 | * Constructs the callback handler and initializes the keystore and
|
---|
| 75 | * truststore references to the security certificates
|
---|
| 76 | */
|
---|
| 77 | public SamlCallbackHandler() {
|
---|
| 78 | log.debug("SamlCallbackHandler Constructor -- Begin");
|
---|
| 79 | try {
|
---|
| 80 | initKeyStore();
|
---|
| 81 | initTrustStore();
|
---|
| 82 | } catch (IOException e) {
|
---|
| 83 | log.error("SamlCallbackHandler Exception: " + e.getMessage());
|
---|
| 84 | e.printStackTrace();
|
---|
| 85 | throw new RuntimeException(e);
|
---|
| 86 | }
|
---|
| 87 | log.debug("SamlCallbackHandler Constructor -- Begin");
|
---|
| 88 | }
|
---|
| 89 |
|
---|
| 90 | /**
|
---|
| 91 | * This is the invoked implementation to handle the SAML Token creation upon
|
---|
| 92 | * notification of an outgoing message needing SAML. Based on the type of
|
---|
| 93 | * confirmation method detected on the Callbace it creates either a
|
---|
| 94 | * "Sender Vouches: or a "Holder-ok_Key" variant of the SAML Assertion.
|
---|
| 95 | * @param callbacks The SAML Callback
|
---|
| 96 | * @throws java.io.IOException
|
---|
| 97 | * @throws javax.security.auth.callback.UnsupportedCallbackException
|
---|
| 98 | */
|
---|
| 99 | public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
|
---|
| 100 | log.debug(" ********************************** Handle SAML Callback Begin**************************");
|
---|
| 101 | getProperties();
|
---|
| 102 | for (int i = 0; i < callbacks.length; i++) {
|
---|
| 103 | if (callbacks[i] instanceof SAMLCallback) {
|
---|
| 104 | SAMLCallback samlCallback = (SAMLCallback) callbacks[i];
|
---|
| 105 | if (samlCallback.getConfirmationMethod().equals(SAMLCallback.HOK_ASSERTION_TYPE)) {
|
---|
| 106 | samlCallback.setAssertionElement(createHOKSAMLAssertion20());
|
---|
| 107 | hokAssertion20 = samlCallback.getAssertionElement();
|
---|
| 108 | } else if (samlCallback.getConfirmationMethod().equals(SAMLCallback.SV_ASSERTION_TYPE)) {
|
---|
| 109 | samlCallback.setAssertionElement(createSVSAMLAssertion20());
|
---|
| 110 | svAssertion = samlCallback.getAssertionElement();
|
---|
| 111 | } else {
|
---|
| 112 | log.error("Unknown SAML Assertion Type: " + samlCallback.getConfirmationMethod());
|
---|
| 113 | throw new UnsupportedCallbackException(null, "SAML Assertion Type is not matched:" + samlCallback.getConfirmationMethod());
|
---|
| 114 | }
|
---|
| 115 | } else {
|
---|
| 116 | log.error("Unknown Callback encountered: " + callbacks[i]);
|
---|
| 117 | throw new UnsupportedCallbackException(null, "Unsupported Callback Type Encountered");
|
---|
| 118 | }
|
---|
| 119 | }
|
---|
| 120 | log.debug("********************************** Handle SAML Callback End**************************");
|
---|
| 121 | System.out.flush();
|
---|
| 122 | }
|
---|
| 123 |
|
---|
| 124 | /**
|
---|
| 125 | * Creates the "Sender Vouches" variant of the SAML Assertion token.
|
---|
| 126 | * @return The Assertion element
|
---|
| 127 | */
|
---|
| 128 | private Element createSVSAMLAssertion20() {
|
---|
| 129 | log.debug("SamlCallbackHandler.createSVSAMLAssertion20() -- Begin");
|
---|
| 130 | Assertion assertion = null;
|
---|
| 131 | try {
|
---|
| 132 | SAMLAssertionFactory factory = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0);
|
---|
| 133 |
|
---|
| 134 | // create the assertion id
|
---|
| 135 | String aID = String.valueOf(UUID.randomUUID());
|
---|
| 136 |
|
---|
| 137 | // name id of the issuer - For now just use default
|
---|
| 138 | NameID issueId = create509NameID(factory, defaultName);
|
---|
| 139 |
|
---|
| 140 | // issue instant
|
---|
| 141 | GregorianCalendar issueInstant = calendarFactory();
|
---|
| 142 |
|
---|
| 143 | // name id of the subject - user name
|
---|
| 144 | String uname = "defUser";
|
---|
| 145 | if (tokenVals.containsKey(InternalTokenMgr.userNameAttrName)) {
|
---|
| 146 | uname = tokenVals.getProperty(InternalTokenMgr.userNameAttrName);
|
---|
| 147 | }
|
---|
| 148 | NameID nmId = factory.createNameID(uname, null, WIN_ID);
|
---|
| 149 | Subject subj = factory.createSubject(nmId, null);
|
---|
| 150 |
|
---|
| 151 | // authentication statement
|
---|
| 152 | List statements = createAuthnStatements(factory, issueInstant);
|
---|
| 153 |
|
---|
| 154 | assertion = factory.createAssertion(aID, issueId, issueInstant,
|
---|
| 155 | null, null, subj, statements);
|
---|
| 156 |
|
---|
| 157 | assertion.setVersion("2.0");
|
---|
| 158 |
|
---|
| 159 | log.debug("createSVSAMLAssertion20 end ()");
|
---|
| 160 | return assertion.toElement(null);
|
---|
| 161 | } catch (Exception e) {
|
---|
| 162 | e.printStackTrace();
|
---|
| 163 | throw new RuntimeException(e);
|
---|
| 164 | }
|
---|
| 165 | }
|
---|
| 166 |
|
---|
| 167 | /**
|
---|
| 168 | * Creates the "Holder-of-Key" variant of the SAML Assertion token.
|
---|
| 169 | * @return The Assertion element
|
---|
| 170 | */
|
---|
| 171 | private Element createHOKSAMLAssertion20() {
|
---|
| 172 | log.debug("SamlCallbackHandler.createHOKSAMLAssertion20() -- Begin");
|
---|
| 173 | Assertion assertion = null;
|
---|
| 174 | try {
|
---|
| 175 | SAMLAssertionFactory factory = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0);
|
---|
| 176 |
|
---|
| 177 | // create the assertion id
|
---|
| 178 | String aID = String.valueOf(UUID.randomUUID());
|
---|
| 179 |
|
---|
| 180 | // name id of the issuer - For now just use default
|
---|
| 181 | NameID issueId = create509NameID(factory, defaultName);
|
---|
| 182 |
|
---|
| 183 | // issue instant
|
---|
| 184 | GregorianCalendar issueInstant = calendarFactory();
|
---|
| 185 |
|
---|
| 186 | // subject information
|
---|
| 187 | NameID subjId = create509NameID(factory, primaryName);
|
---|
| 188 |
|
---|
| 189 | // default private key cert request
|
---|
| 190 | SignatureKeyCallback.DefaultPrivKeyCertRequest request = new SignatureKeyCallback.DefaultPrivKeyCertRequest();
|
---|
| 191 | getDefaultPrivKeyCert(request);
|
---|
| 192 | if (request.getX509Certificate() == null) {
|
---|
| 193 | throw new RuntimeException("Not able to resolve the Default Certificate");
|
---|
| 194 | }
|
---|
| 195 | PublicKey pubKey = request.getX509Certificate().getPublicKey();
|
---|
| 196 | PrivateKey privKey = request.getPrivateKey();
|
---|
| 197 |
|
---|
| 198 | // subject confirmation
|
---|
| 199 | DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
|
---|
| 200 | Document doc = docFactory.newDocumentBuilder().newDocument();
|
---|
| 201 | KeyInfo keyInfo = new KeyInfo(doc);
|
---|
| 202 | keyInfo.addKeyValue(pubKey);
|
---|
| 203 | SubjectConfirmationData scd = factory.createSubjectConfirmationData(null, null, null, null, null, keyInfo.getElement());
|
---|
| 204 | SubjectConfirmation scf = factory.createSubjectConfirmation(null, scd, HOK_CONFIRM);
|
---|
| 205 | Subject subj = factory.createSubject(subjId, scf);
|
---|
| 206 |
|
---|
| 207 | // authentication statement
|
---|
| 208 | List statements = createAuthnStatements(factory, issueInstant);
|
---|
| 209 |
|
---|
| 210 | assertion = factory.createAssertion(aID, issueId, issueInstant, null, null, subj, statements);
|
---|
| 211 | assertion.setVersion("2.0");
|
---|
| 212 | log.debug("SamlCallbackHandler.createHOKSAMLAssertion20() -- End");
|
---|
| 213 | return assertion.sign(pubKey, privKey);
|
---|
| 214 | } catch (ParserConfigurationException ex) {
|
---|
| 215 | log.error("Unable to create HOK Assertion: " + ex.getMessage());
|
---|
| 216 | ex.printStackTrace();
|
---|
| 217 | throw new RuntimeException(ex);
|
---|
| 218 | } catch (IOException ex) {
|
---|
| 219 | log.error("Unable to create HOK Assertion: " + ex.getMessage());
|
---|
| 220 | ex.printStackTrace();
|
---|
| 221 | throw new RuntimeException(ex);
|
---|
| 222 | } catch (SAMLException ex) {
|
---|
| 223 | log.error("Unable to create HOK Assertion: " + ex.getMessage());
|
---|
| 224 | ex.printStackTrace();
|
---|
| 225 | throw new RuntimeException(ex);
|
---|
| 226 | } catch (XWSSecurityException ex) {
|
---|
| 227 | log.error("Unable to create HOK Assertion: " + ex.getMessage());
|
---|
| 228 | ex.printStackTrace();
|
---|
| 229 | throw new RuntimeException(ex);
|
---|
| 230 | }
|
---|
| 231 | }
|
---|
| 232 |
|
---|
| 233 | /**
|
---|
| 234 | * Both the Issuer and the Subject elements have a NameID element which is
|
---|
| 235 | * formed through this method. Currently default data is used to specify
|
---|
| 236 | * the required Issuer information. However, the Subject information is
|
---|
| 237 | * defined based on the stored value of the userid. If this is a legal X509
|
---|
| 238 | * structute the NameId is constructed in that format, if not it is
|
---|
| 239 | * constructed as an "Unspecified" format.
|
---|
| 240 | * @param factory The factory object used to assist in the construction of
|
---|
| 241 | * the SAML Assertion token
|
---|
| 242 | * @param assId Identifies this as default usage case or one with declared
|
---|
| 243 | * value.
|
---|
| 244 | * @return The constructed NameID element
|
---|
| 245 | * @throws com.sun.xml.wss.saml.SAMLException
|
---|
| 246 | */
|
---|
| 247 | private NameID create509NameID(SAMLAssertionFactory factory, int assId) throws SAMLException {
|
---|
| 248 | log.debug("SamlCallbackHandler.createNameID() -- Begin");
|
---|
| 249 | NameID nmId = null;
|
---|
| 250 | String defCN = "SAML User";
|
---|
| 251 | String defOU = "SU";
|
---|
| 252 | String defO = "SAML User";
|
---|
| 253 | String defL = "Los Angeles";
|
---|
| 254 | String defST = "CA";
|
---|
| 255 | String defC = "US";
|
---|
| 256 |
|
---|
| 257 | String identifier;
|
---|
| 258 | if (assId != primaryName) {
|
---|
| 259 | identifier = "CN=" + defCN + "," + "OU=" + defOU + "," +
|
---|
| 260 | "O=" + defO + "," + "L=" + defL + "," +
|
---|
| 261 | "ST=" + defST + "," + "C=" + defC;
|
---|
| 262 | nmId = factory.createNameID(identifier, null, X509_ID);
|
---|
| 263 | log.debug("Create X509 name: " + identifier);
|
---|
| 264 | } else {
|
---|
| 265 | String x509Name = "UID=" + tokenVals.getProperty(InternalTokenMgr.userNameAttrName);
|
---|
| 266 | try {
|
---|
| 267 | X500Principal prin = new X500Principal(x509Name);
|
---|
| 268 | nmId = factory.createNameID(x509Name, null, X509_ID);
|
---|
| 269 | log.debug("Create X509 name: " + x509Name);
|
---|
| 270 | } catch (IllegalArgumentException iae) {
|
---|
| 271 | /* Could also test if email form if we wanted to support that */
|
---|
| 272 | log.warn("Set format as Unspecified. Invalid X509 format: " +
|
---|
| 273 | tokenVals.getProperty(InternalTokenMgr.userNameAttrName) + " " + iae.getMessage());
|
---|
| 274 | nmId = factory.createNameID(tokenVals.getProperty(InternalTokenMgr.userNameAttrName), null, UNSPECIFIED);
|
---|
| 275 | }
|
---|
| 276 | }
|
---|
| 277 |
|
---|
| 278 | log.debug("SamlCallbackHandler.createNameID() -- End");
|
---|
| 279 | return nmId;
|
---|
| 280 | }
|
---|
| 281 |
|
---|
| 282 | /*public boolean isValidEmailAddress(String address) {
|
---|
| 283 | log.debug("SamlCallbackHandler.isValidEmailAddress() " + address + " -- Begin");
|
---|
| 284 | boolean retBool = false;
|
---|
| 285 | if (address != null && address.length() > 0) {
|
---|
| 286 | try {
|
---|
| 287 | InternetAddress emailAddr = new InternetAddress(address, true);
|
---|
| 288 | String[] tokens = address.split("@");
|
---|
| 289 | if (tokens.length == 2 && tokens[0].trim().length() > 0 && tokens[1].trim().length() > 0) {
|
---|
| 290 | retBool = true;
|
---|
| 291 | } else {
|
---|
| 292 | log.debug("Address does not follow the form 'local-part@domain'");
|
---|
| 293 | }
|
---|
| 294 | } catch (AddressException ex) {
|
---|
| 295 | // address does not comply with RFC822
|
---|
| 296 | log.debug("Address is not of the RFC822 format");
|
---|
| 297 | }
|
---|
| 298 | }
|
---|
| 299 | log.debug("SamlCallbackHandler.isValidEmailAddress() " + retBool + " -- End");
|
---|
| 300 | return retBool;
|
---|
| 301 | }*/
|
---|
| 302 | /**
|
---|
| 303 | * Creates the authentication statement, the attribute statements, and the
|
---|
| 304 | * authorization decision statements for placement in the SAML Assertion.
|
---|
| 305 | * @param factory The factory object used to assist in the construction of
|
---|
| 306 | * the SAML Assertion token
|
---|
| 307 | * @param issueInstant The calendar representing the time of Assertion issuance
|
---|
| 308 | * @return A listing of all statements
|
---|
| 309 | * @throws com.sun.xml.wss.saml.SAMLException
|
---|
| 310 | */
|
---|
| 311 | private List createAuthnStatements(SAMLAssertionFactory factory, GregorianCalendar issueInstant) throws SAMLException {
|
---|
| 312 | log.debug("SamlCallbackHandler.createAuthnStatements() -- Begin");
|
---|
| 313 | List statements = new ArrayList();
|
---|
| 314 |
|
---|
| 315 | // Create Subject Locality
|
---|
| 316 | SubjectLocality subjLoc = null;
|
---|
| 317 | /* This is currently an optional item
|
---|
| 318 | try {
|
---|
| 319 | subjLoc = factory.createSubjectLocality(InetAddress.getLocalHost().getHostAddress(), InetAddress.getLocalHost().getCanonicalHostName());
|
---|
| 320 | } catch (UnknownHostException ex) {
|
---|
| 321 | log.debug("Optional element SubjectLocality can not be determined: " + ex.getMessage());
|
---|
| 322 | }*/
|
---|
| 323 | AuthnContext authnContext = factory.createAuthnContext(X509_AUTHN_CNTX_CLS, null);
|
---|
| 324 |
|
---|
| 325 | // Create Authentication statement
|
---|
| 326 | AuthnStatement authState = (com.sun.xml.wss.saml.assertion.saml20.jaxb20.AuthnStatement) factory.createAuthnStatement(issueInstant, subjLoc, authnContext, "123456", null);
|
---|
| 327 |
|
---|
| 328 | if (authState != null) {
|
---|
| 329 | statements.add(authState);
|
---|
| 330 | }
|
---|
| 331 |
|
---|
| 332 | statements.addAll(addAssertStatements(factory));
|
---|
| 333 |
|
---|
| 334 | // Create resource for Authentication Statement
|
---|
| 335 | String resource = null;
|
---|
| 336 | if (tokenVals.containsKey(InternalTokenMgr.resourceAttrName)) {
|
---|
| 337 | resource = tokenVals.getProperty(InternalTokenMgr.resourceAttrName);
|
---|
| 338 | }
|
---|
| 339 |
|
---|
| 340 | // Options are Permit (Deny and Indeterminate are not used at this time)
|
---|
| 341 | String decision = AUTHN_DECISION;
|
---|
| 342 |
|
---|
| 343 | List actions = new ArrayList();
|
---|
| 344 | if (tokenVals.containsKey(InternalTokenMgr.actionAttrName)) {
|
---|
| 345 | String actionAttr = tokenVals.getProperty(InternalTokenMgr.actionAttrName);
|
---|
| 346 | try {
|
---|
| 347 | final Document document = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
|
---|
| 348 | final Element elemURAttr = document.createElementNS("urn:oasis:names:tc:SAML:2.0:assertion", "Action");
|
---|
| 349 | elemURAttr.setAttribute("Namespace", NHIN_NS);
|
---|
| 350 | elemURAttr.setTextContent(actionAttr);
|
---|
| 351 | actions.add(elemURAttr);
|
---|
| 352 | } catch (ParserConfigurationException ex) {
|
---|
| 353 | actions.add(actionAttr);
|
---|
| 354 | }
|
---|
| 355 | }
|
---|
| 356 |
|
---|
| 357 | // Evidence Assertion generation
|
---|
| 358 | Evidence evidence = createEvidence(factory, issueInstant);
|
---|
| 359 |
|
---|
| 360 | AuthnDecisionStatement authDecState = factory.createAuthnDecisionStatement(resource, decision, actions, evidence);
|
---|
| 361 | if (authDecState != null) {
|
---|
| 362 | statements.add(authDecState);
|
---|
| 363 | }
|
---|
| 364 |
|
---|
| 365 | log.debug("SamlCallbackHandler.createAuthnStatements() -- End");
|
---|
| 366 | return statements;
|
---|
| 367 | }
|
---|
| 368 |
|
---|
| 369 | /**
|
---|
| 370 | * Creates the Attribute statements for UserName, UserOrganization,
|
---|
| 371 | * UserRole, and PurposeForUse
|
---|
| 372 | * @param factory The factory object used to assist in the construction of
|
---|
| 373 | * the SAML Assertion token
|
---|
| 374 | * @return The listing of all Attribute statements
|
---|
| 375 | * @throws com.sun.xml.wss.saml.SAMLException
|
---|
| 376 | */
|
---|
| 377 | private List addAssertStatements(SAMLAssertionFactory factory) throws SAMLException {
|
---|
| 378 |
|
---|
| 379 | log.debug("SamlCallbackHandler.addAssertStatements() -- Begin");
|
---|
| 380 | List statements = new ArrayList();
|
---|
| 381 | List attributes = new ArrayList();
|
---|
| 382 |
|
---|
| 383 | // Set the User Name Attribute
|
---|
| 384 | List attributeValues1 = new ArrayList();
|
---|
| 385 | attributeValues1.add(tokenVals.getProperty(InternalTokenMgr.userFirstNameAttrName) + " " + tokenVals.getProperty(InternalTokenMgr.userMiddleNameAttrName) + " " + tokenVals.getProperty(InternalTokenMgr.userLastNameAttrName));
|
---|
| 386 | attributes.add(factory.createAttribute(InternalTokenMgr.userNameAttrName, NHIN_NS, attributeValues1));
|
---|
| 387 |
|
---|
| 388 | // Set the User Organization Attribute
|
---|
| 389 | List attributeValues2 = new ArrayList();
|
---|
| 390 | attributeValues2.add(tokenVals.getProperty(InternalTokenMgr.userOrgAttrName));
|
---|
| 391 | attributes.add(factory.createAttribute(InternalTokenMgr.userOrgAttrName, NHIN_NS, attributeValues2));
|
---|
| 392 |
|
---|
| 393 | try {
|
---|
| 394 | // Set the User Role Attribute
|
---|
| 395 | List attributeValues3 = new ArrayList();
|
---|
| 396 | final Document document = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
|
---|
| 397 | final Element elemURAttr = document.createElementNS("urn:oasis:names:tc:SAML:2.0:assertion", "AttibuteValue");
|
---|
| 398 | final Element userRole = document.createElementNS(NHIN_NS, "nhin:Role");
|
---|
| 399 | elemURAttr.appendChild(userRole);
|
---|
| 400 | userRole.setAttribute("code", tokenVals.getProperty(InternalTokenMgr.userRoleCodeAttrName));
|
---|
| 401 | userRole.setAttribute("codeSystem", tokenVals.getProperty(InternalTokenMgr.userRoleCodeSystemAttrName));
|
---|
| 402 | userRole.setAttribute("codeSystemName", tokenVals.getProperty(InternalTokenMgr.userRoleCodeSystemNameAttrName));
|
---|
| 403 | userRole.setAttribute("displayName", tokenVals.getProperty(InternalTokenMgr.userRoleDisplayAttrName));
|
---|
| 404 | attributeValues3.add(elemURAttr);
|
---|
| 405 | attributes.add(factory.createAttribute("UserRole", NHIN_NS, attributeValues3));
|
---|
| 406 |
|
---|
| 407 | // Add a hardcoded string for Purpose For Use Attribute
|
---|
| 408 | List attributeValues4 = new ArrayList();
|
---|
| 409 | final Element elemPFUAttr = document.createElementNS("urn:oasis:names:tc:SAML:2.0:assertion", "AttibuteValue");
|
---|
| 410 | final Element purpose = document.createElementNS(NHIN_NS, "nhin:PurposeForUse");
|
---|
| 411 | elemPFUAttr.appendChild(purpose);
|
---|
| 412 | purpose.setAttribute("code", tokenVals.getProperty(InternalTokenMgr.purposeCodeAttrName));
|
---|
| 413 | purpose.setAttribute("codeSystem", tokenVals.getProperty(InternalTokenMgr.purposeCodeSystemAttrName));
|
---|
| 414 | purpose.setAttribute("codeSystemName", tokenVals.getProperty(InternalTokenMgr.purposeCodeSystemNameAttrName));
|
---|
| 415 | purpose.setAttribute("displayName", tokenVals.getProperty(InternalTokenMgr.purposeDisplayAttrName));
|
---|
| 416 | attributeValues4.add(elemPFUAttr);
|
---|
| 417 | attributes.add(factory.createAttribute("PurposeForUse", NHIN_NS, attributeValues4));
|
---|
| 418 |
|
---|
| 419 | if (!attributes.isEmpty()) {
|
---|
| 420 | statements.add(factory.createAttributeStatement(attributes));
|
---|
| 421 | }
|
---|
| 422 | } catch (ParserConfigurationException ex) {
|
---|
| 423 | log.debug("Unable to create an XML Document to set Attributes" + ex.getMessage());
|
---|
| 424 | }
|
---|
| 425 | log.debug("SamlCallbackHandler.addAssertStatements() -- End");
|
---|
| 426 | return statements;
|
---|
| 427 |
|
---|
| 428 | }
|
---|
| 429 |
|
---|
| 430 | /**
|
---|
| 431 | * Creates the Evidence element that encompasses the Assertion defining the
|
---|
| 432 | * authorization form needed in cases where evidence of authorization to
|
---|
| 433 | * access the medical records must be provided along with the message request
|
---|
| 434 | * @param factory The factory object used to assist in the construction of
|
---|
| 435 | * the SAML Assertion token
|
---|
| 436 | * @param issueInstant The calendar representing the time of Assertion issuance
|
---|
| 437 | * @return The Evidence element
|
---|
| 438 | * @throws com.sun.xml.wss.saml.SAMLException
|
---|
| 439 | */
|
---|
| 440 | private Evidence createEvidence(SAMLAssertionFactory factory, GregorianCalendar issueInstant) throws SAMLException {
|
---|
| 441 | log.debug("SamlCallbackHandler.createEvidence() -- Begin");
|
---|
| 442 |
|
---|
| 443 | List evAsserts = new ArrayList();
|
---|
| 444 | try {
|
---|
| 445 | String evAssertionID = String.valueOf(UUID.randomUUID());
|
---|
| 446 | NameID evIssuerId = create509NameID(factory, defaultName);
|
---|
| 447 |
|
---|
| 448 | GregorianCalendar beginValidTime = calendarFactory();
|
---|
| 449 | if (tokenVals.containsKey(InternalTokenMgr.signDateAttrName)) {
|
---|
| 450 | beginValidTime = createCal(tokenVals.getProperty(InternalTokenMgr.signDateAttrName));
|
---|
| 451 | }
|
---|
| 452 | GregorianCalendar endValidTime = calendarFactory();
|
---|
| 453 | if (tokenVals.containsKey(InternalTokenMgr.expireDateAttrName)) {
|
---|
| 454 | endValidTime = createCal(tokenVals.getProperty(InternalTokenMgr.expireDateAttrName));
|
---|
| 455 | }
|
---|
| 456 |
|
---|
| 457 | if (beginValidTime.after(endValidTime)) {
|
---|
| 458 | // set beginning time to now
|
---|
| 459 | beginValidTime = calendarFactory();
|
---|
| 460 | log.warn("The beginning time for the valid evidence should be before the ending time. " +
|
---|
| 461 | "Setting the beginning time to the current system time.");
|
---|
| 462 | }
|
---|
| 463 |
|
---|
| 464 | Conditions conditions = factory.createConditions(beginValidTime, endValidTime, null, null, null, null);
|
---|
| 465 |
|
---|
| 466 | List statements = createEvidenceStatements(factory);
|
---|
| 467 | evAsserts.add(factory.createAssertion(evAssertionID, evIssuerId, issueInstant, conditions, null, null, statements));
|
---|
| 468 | } catch (SAMLException ex) {
|
---|
| 469 | log.debug("Unable to create Evidence Assertion: " + ex.getMessage());
|
---|
| 470 | }
|
---|
| 471 | Evidence evidence = factory.createEvidence(null, evAsserts);
|
---|
| 472 | log.debug("SamlCallbackHandler.createEvidence() -- End");
|
---|
| 473 | return evidence;
|
---|
| 474 | }
|
---|
| 475 |
|
---|
| 476 | /**
|
---|
| 477 | * Creates a calendar object representing the time given.
|
---|
| 478 | * @param time following the simple date form MM/dd/yyyy HH:mm:ss
|
---|
| 479 | * @return The calendar object representing the given time
|
---|
| 480 | */
|
---|
| 481 | private GregorianCalendar createCal(String time) {
|
---|
| 482 | GregorianCalendar cal = calendarFactory();
|
---|
| 483 | try {
|
---|
| 484 | SimpleDateFormat dateForm = new SimpleDateFormat("MM/dd/yyyy HH:mm:ss");
|
---|
| 485 | cal.setTime(dateForm.parse(time));
|
---|
| 486 | log.info("SamlCallbackHandler.createCal() Date: " + (cal.get(Calendar.MONTH) + 1) + "/" + cal.get(Calendar.DAY_OF_MONTH) + "/" + cal.get(Calendar.YEAR) + " " + cal.get(Calendar.HOUR_OF_DAY) + ":" + cal.get(Calendar.MINUTE) + ":" + cal.get(Calendar.SECOND));
|
---|
| 487 | } catch (ParseException ex) {
|
---|
| 488 | log.error(SamlCallbackHandler.class.getName() + "Date form is expected to be MM/dd/yyyy HH:mm:ss set default date");
|
---|
| 489 | }
|
---|
| 490 | return cal;
|
---|
| 491 | }
|
---|
| 492 |
|
---|
| 493 | /**
|
---|
| 494 | * Creates the Attribute Statements needed for the Evidence element. These
|
---|
| 495 | * include the Attributes for the ContentType, ContentReference, and the
|
---|
| 496 | * base64binary Content as well.
|
---|
| 497 | * @param factory The factory object used to assist in the construction of
|
---|
| 498 | * the SAML Assertion token
|
---|
| 499 | * @return The listing of the attribute statements for the Evidence element
|
---|
| 500 | * @throws com.sun.xml.wss.saml.SAMLException
|
---|
| 501 | */
|
---|
| 502 | private List createEvidenceStatements(SAMLAssertionFactory factory) throws SAMLException {
|
---|
| 503 | log.debug("SamlCallbackHandler.createEvidenceStatements() -- Begin");
|
---|
| 504 | List statements = new ArrayList();
|
---|
| 505 | List attributes = new ArrayList();
|
---|
| 506 |
|
---|
| 507 | // Set the Reference to the SSA-827 form
|
---|
| 508 | List attributeValues1 = new ArrayList();
|
---|
| 509 | attributeValues1.add(tokenVals.getProperty(InternalTokenMgr.claimRefAttrName));
|
---|
| 510 | attributes.add(factory.createAttribute(InternalTokenMgr.claimRefAttrName, NHIN_NS, attributeValues1));
|
---|
| 511 |
|
---|
| 512 | // Set the format of the SSA-827 form
|
---|
| 513 | List attributeValues2 = new ArrayList();
|
---|
| 514 | attributeValues2.add(EVIDENCE_FORM_TYPE);
|
---|
| 515 | attributes.add(factory.createAttribute("ContentType", NHIN_NS, attributeValues2));
|
---|
| 516 |
|
---|
| 517 | // Set the content of the SSA-827 form
|
---|
| 518 | List attributeValues3 = new ArrayList();
|
---|
| 519 | attributeValues3.add(tokenVals.getProperty(InternalTokenMgr.claimFormAttrName).getBytes());
|
---|
| 520 | attributes.add(factory.createAttribute(InternalTokenMgr.claimFormAttrName, NHIN_NS, attributeValues3));
|
---|
| 521 |
|
---|
| 522 | if (!attributes.isEmpty()) {
|
---|
| 523 | statements.add(factory.createAttributeStatement(attributes));
|
---|
| 524 | }
|
---|
| 525 | log.debug("SamlCallbackHandler.createEvidenceStatements() -- End");
|
---|
| 526 | return statements;
|
---|
| 527 | }
|
---|
| 528 |
|
---|
| 529 | /**
|
---|
| 530 | * Reads the storage file and extracts all the stored key / value pairs as
|
---|
| 531 | * properties
|
---|
| 532 | */
|
---|
| 533 | private void getProperties() {
|
---|
| 534 | log.debug("SamlCallbackHandler.getProperties() -- Begin");
|
---|
| 535 |
|
---|
| 536 | tokenVals = new Properties();
|
---|
| 537 | BufferedReader reader = null;
|
---|
| 538 | String fileName = null;
|
---|
| 539 | try {
|
---|
| 540 | PropertyResourceBundle prop = (PropertyResourceBundle) PropertyResourceBundle.getBundle(InternalTokenMgr.propFileName);
|
---|
| 541 | fileName = prop.getString(InternalTokenMgr.storeFileName);
|
---|
| 542 |
|
---|
| 543 | reader = new BufferedReader(new FileReader(fileName));
|
---|
| 544 | tokenVals.load(reader);
|
---|
| 545 |
|
---|
| 546 | } catch (IOException ex) {
|
---|
| 547 | log.error("Can not access " + fileName + " " + ex);
|
---|
| 548 | } finally {
|
---|
| 549 | try {
|
---|
| 550 | if (reader != null) {
|
---|
| 551 | reader.close();
|
---|
| 552 | }
|
---|
| 553 | } catch (IOException iOException) {
|
---|
| 554 | log.error("SamlCallbackHandler " + iOException.getMessage());
|
---|
| 555 | }
|
---|
| 556 | }
|
---|
| 557 | log.debug("SamlCallbackHandler.getProperties() -- End");
|
---|
| 558 | return;
|
---|
| 559 | }
|
---|
| 560 |
|
---|
| 561 | /**
|
---|
| 562 | * Initializes the keystore access using the system properties defined in
|
---|
| 563 | * the domain.xml javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword
|
---|
| 564 | * @throws java.io.IOException
|
---|
| 565 | */
|
---|
| 566 | private void initKeyStore() throws IOException {
|
---|
| 567 | log.debug("SamlCallbackHandler.initKeyStore() -- Begin");
|
---|
| 568 | InputStream is = null;
|
---|
| 569 | String storeLoc = System.getProperty("javax.net.ssl.keyStore");
|
---|
| 570 | if (storeLoc != null) {
|
---|
| 571 | String password = System.getProperty("javax.net.ssl.keyStorePassword");
|
---|
| 572 | if (password != null) {
|
---|
| 573 | try {
|
---|
| 574 | keyStore = KeyStore.getInstance(storeType);
|
---|
| 575 | is = new FileInputStream(storeLoc);
|
---|
| 576 | keyStore.load(is, password.toCharArray());
|
---|
| 577 | } catch (NoSuchAlgorithmException ex) {
|
---|
| 578 | log.error("Error initializing KeyStore: " + ex);
|
---|
| 579 | throw new IOException(ex.getMessage());
|
---|
| 580 | } catch (CertificateException ex) {
|
---|
| 581 | log.error("Error initializing KeyStore: " + ex);
|
---|
| 582 | throw new IOException(ex.getMessage());
|
---|
| 583 | } catch (KeyStoreException ex) {
|
---|
| 584 | log.error("Error initializing KeyStore: " + ex);
|
---|
| 585 | throw new IOException(ex.getMessage());
|
---|
| 586 | }
|
---|
| 587 | log.debug("SamlCallbackHandler.initKeyStore() -- End");
|
---|
| 588 | } else {
|
---|
| 589 | log.error("javax.net.ssl.keyStorePassword is not defined in domain.xml");
|
---|
| 590 | }
|
---|
| 591 | } else {
|
---|
| 592 | log.error("javax.net.ssl.keyStore is not defined in domain.xml");
|
---|
| 593 | }
|
---|
| 594 | }
|
---|
| 595 |
|
---|
| 596 | /**
|
---|
| 597 | * Initializes the truststore access using the system properties defined in
|
---|
| 598 | * the domain.xml javax.net.ssl.trustStore and
|
---|
| 599 | * javax.net.ssl.trustStorePassword
|
---|
| 600 | * @throws java.io.IOException
|
---|
| 601 | */
|
---|
| 602 | private void initTrustStore() throws IOException {
|
---|
| 603 | log.debug("SamlCallbackHandler.initTrustStore() -- Begin");
|
---|
| 604 | InputStream is = null;
|
---|
| 605 | String storeLoc = System.getProperty("javax.net.ssl.trustStore");
|
---|
| 606 | if (storeLoc != null) {
|
---|
| 607 | String password = System.getProperty("javax.net.ssl.trustStorePassword");
|
---|
| 608 | if (password != null) {
|
---|
| 609 | try {
|
---|
| 610 | trustStore = KeyStore.getInstance(storeType);
|
---|
| 611 | is = new FileInputStream(storeLoc);
|
---|
| 612 | trustStore.load(is, password.toCharArray());
|
---|
| 613 | } catch (NoSuchAlgorithmException ex) {
|
---|
| 614 | log.error("Error initializing TrustStore: " + ex);
|
---|
| 615 | throw new IOException(ex.getMessage());
|
---|
| 616 | } catch (CertificateException ex) {
|
---|
| 617 | log.error("Error initializing TrustStore: " + ex);
|
---|
| 618 | throw new IOException(ex.getMessage());
|
---|
| 619 | } catch (KeyStoreException ex) {
|
---|
| 620 | log.error("Error initializing TrustStore: " + ex);
|
---|
| 621 | throw new IOException(ex.getMessage());
|
---|
| 622 | }
|
---|
| 623 | } else {
|
---|
| 624 | log.error("javax.net.ssl.trustStorePassword is not defined in domain.xml");
|
---|
| 625 | }
|
---|
| 626 | } else {
|
---|
| 627 | log.error("javax.net.ssl.trustStore is not defined in domain.xml");
|
---|
| 628 | }
|
---|
| 629 | log.debug("SamlCallbackHandler.initTrustStore() -- End");
|
---|
| 630 | }
|
---|
| 631 |
|
---|
| 632 | /**
|
---|
| 633 | * Finds the X509 certificate in the keystore with the client alias as
|
---|
| 634 | * defined in the domain.xml system property CLIENT_KEY_ALIAS and
|
---|
| 635 | * establishes the private key on the SignatureKeyCallback request using
|
---|
| 636 | * this certificate.
|
---|
| 637 | * @param request The SignatureKeyCallback request object
|
---|
| 638 | * @throws java.io.IOException
|
---|
| 639 | */
|
---|
| 640 | private void getDefaultPrivKeyCert(
|
---|
| 641 | SignatureKeyCallback.DefaultPrivKeyCertRequest request)
|
---|
| 642 | throws IOException {
|
---|
| 643 | log.debug("SamlCallbackHandler.getDefaultPrivKeyCert() -- Begin");
|
---|
| 644 | String uniqueAlias = null;
|
---|
| 645 | String client_key_alias = System.getProperty("CLIENT_KEY_ALIAS");
|
---|
| 646 | if (client_key_alias != null) {
|
---|
| 647 | String password = System.getProperty("javax.net.ssl.keyStorePassword");
|
---|
| 648 | if (password != null) {
|
---|
| 649 | try {
|
---|
| 650 | Enumeration aliases = keyStore.aliases();
|
---|
| 651 | while (aliases.hasMoreElements()) {
|
---|
| 652 | String currentAlias = (String) aliases.nextElement();
|
---|
| 653 | if (currentAlias.equals(client_key_alias)) {
|
---|
| 654 | if (keyStore.isKeyEntry(currentAlias)) {
|
---|
| 655 | Certificate thisCertificate = keyStore.getCertificate(currentAlias);
|
---|
| 656 | if (thisCertificate != null) {
|
---|
| 657 | if (thisCertificate instanceof X509Certificate) {
|
---|
| 658 | if (uniqueAlias == null) {
|
---|
| 659 | uniqueAlias = currentAlias;
|
---|
| 660 | break;
|
---|
| 661 | }
|
---|
| 662 | }
|
---|
| 663 | }
|
---|
| 664 | }
|
---|
| 665 | }
|
---|
| 666 | }
|
---|
| 667 | if (uniqueAlias != null) {
|
---|
| 668 | request.setX509Certificate(
|
---|
| 669 | (X509Certificate) keyStore.getCertificate(uniqueAlias));
|
---|
| 670 | request.setPrivateKey(
|
---|
| 671 | (PrivateKey) keyStore.getKey(uniqueAlias, password.toCharArray()));
|
---|
| 672 | } else {
|
---|
| 673 | log.error("Client key alais can not be determined");
|
---|
| 674 | }
|
---|
| 675 | } catch (UnrecoverableKeyException ex) {
|
---|
| 676 | log.error("Error initializing Private Key: " + ex);
|
---|
| 677 | throw new IOException(ex.getMessage());
|
---|
| 678 | } catch (NoSuchAlgorithmException ex) {
|
---|
| 679 | log.error("Error initializing Private Key: " + ex);
|
---|
| 680 | throw new IOException(ex.getMessage());
|
---|
| 681 | } catch (KeyStoreException ex) {
|
---|
| 682 | log.error("Error initializing Private Key: " + ex);
|
---|
| 683 | throw new IOException(ex.getMessage());
|
---|
| 684 | }
|
---|
| 685 | } else {
|
---|
| 686 | log.error("javax.net.ssl.keyStorePassword is not defined in domain.xml");
|
---|
| 687 | }
|
---|
| 688 | } else {
|
---|
| 689 | log.error("CLIENT_KEY_ALIAS is not defined in domain.xml");
|
---|
| 690 | }
|
---|
| 691 | log.debug("SamlCallbackHandler.getDefaultPrivKeyCert() -- End");
|
---|
| 692 | }
|
---|
| 693 |
|
---|
| 694 | /**
|
---|
| 695 | * Creates a calendar instance set to the current system time in GMT
|
---|
| 696 | * @return The calendar instance
|
---|
| 697 | */
|
---|
| 698 | private GregorianCalendar calendarFactory() {
|
---|
| 699 | GregorianCalendar calendar = new GregorianCalendar();
|
---|
| 700 | calendar.setTimeZone(TimeZone.getTimeZone("GMT"));
|
---|
| 701 | return calendar;
|
---|
| 702 | }
|
---|
| 703 | }
|
---|