1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.saml2.binding.security;
18
19 import java.io.UnsupportedEncodingException;
20
21 import javax.servlet.http.HttpServletRequest;
22
23 import org.opensaml.common.binding.SAMLMessageContext;
24 import org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule;
25 import org.opensaml.ws.security.SecurityPolicyException;
26 import org.opensaml.ws.transport.http.HTTPTransportUtils;
27 import org.opensaml.xml.signature.SignatureTrustEngine;
28 import org.opensaml.xml.util.DatatypeHelper;
29 import org.slf4j.Logger;
30 import org.slf4j.LoggerFactory;
31
32
33
34
35 public class SAML2HTTPRedirectDeflateSignatureRule extends BaseSAMLSimpleSignatureSecurityPolicyRule {
36
37
38 private final Logger log = LoggerFactory.getLogger(SAML2HTTPRedirectDeflateSignatureRule.class);
39
40
41
42
43
44
45 public SAML2HTTPRedirectDeflateSignatureRule(SignatureTrustEngine engine) {
46 super(engine);
47 }
48
49
50 protected boolean ruleHandles(HttpServletRequest request, SAMLMessageContext samlMsgCtx)
51 throws SecurityPolicyException {
52 return "GET".equals(request.getMethod());
53 }
54
55
56 protected byte[] getSignedContent(HttpServletRequest request) throws SecurityPolicyException {
57
58
59
60
61
62 String queryString = request.getQueryString();
63 log.debug("Constructing signed content string from URL query string {}", queryString);
64
65 String constructed = buildSignedContentString(queryString);
66 if (DatatypeHelper.isEmpty(constructed)) {
67 log.warn("Could not extract signed content string from query string");
68 return null;
69 }
70 log.debug("Constructed signed content string for HTTP-Redirect DEFLATE {}", constructed);
71
72 try {
73 return constructed.getBytes("UTF-8");
74 } catch (UnsupportedEncodingException e) {
75
76 }
77 return null;
78 }
79
80
81
82
83
84
85
86
87 private String buildSignedContentString(String queryString) throws SecurityPolicyException {
88 StringBuilder builder = new StringBuilder();
89
90
91 if (!appendParameter(builder, queryString, "SAMLRequest")) {
92 if (!appendParameter(builder, queryString, "SAMLResponse")) {
93 log.warn("Could not extract either a SAMLRequest or a SAMLResponse from the query string");
94 throw new SecurityPolicyException("Extract of SAMLRequest or SAMLResponse from query string failed");
95 }
96 }
97
98 appendParameter(builder, queryString, "RelayState");
99
100 appendParameter(builder, queryString, "SigAlg");
101
102 return builder.toString();
103 }
104
105
106
107
108
109
110
111
112
113
114
115 private boolean appendParameter(StringBuilder builder, String queryString, String paramName) {
116 String rawParam = HTTPTransportUtils.getRawQueryStringParameter(queryString, paramName);
117 if (rawParam == null) {
118 return false;
119 }
120
121 if (builder.length() > 0) {
122 builder.append('&');
123 }
124
125 builder.append(rawParam);
126
127 return true;
128 }
129 }