From f2c7d746ea75a6cf4985090bbb324fa40d055873 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Thu, 26 Jan 2023 09:43:49 -0800 Subject: [PATCH] GUACAMOLE-839: Move authentication session management service to internal common SSO library. --- .../auth/sso/AuthenticationSession.java | 58 ++++++++++++++++++ .../sso}/AuthenticationSessionManager.java | 56 +++++------------- .../auth/sso}/IdentifierGenerator.java | 25 ++++++-- .../guacamole/auth/sso/NonceService.java | 18 +++--- .../saml/AuthenticationProviderService.java | 4 +- .../SAMLAuthenticationProviderModule.java | 6 +- .../acs/AssertionConsumerServiceResource.java | 4 +- ...on.java => SAMLAuthenticationSession.java} | 28 ++++----- .../acs/SAMLAuthenticationSessionManager.java | 59 +++++++++++++++++++ .../guacamole/auth/saml/acs/SAMLService.java | 14 ++--- 10 files changed, 188 insertions(+), 84 deletions(-) create mode 100644 extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java rename extensions/guacamole-auth-sso/modules/{guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs => guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso}/AuthenticationSessionManager.java (72%) rename extensions/guacamole-auth-sso/modules/{guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs => guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso}/IdentifierGenerator.java (66%) rename extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/{AuthenticationSession.java => SAMLAuthenticationSession.java} (77%) create mode 100644 extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java new file mode 100644 index 000000000..89d75df70 --- /dev/null +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java @@ -0,0 +1,58 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.sso; + +/** + * Representation of an in-progress authentication attempt. + */ +public class AuthenticationSession { + + /** + * The absolute point in time after which this authentication session is + * invalid. This value is a UNIX epoch timestamp, as may be returned by + * {@link System#currentTimeMillis()}. + */ + private final long expirationTimestamp; + + /** + * Creates a new AuthenticationSession representing an in-progress + * authentication attempt. + * + * @param expires + * The number of milliseconds that may elapse before this session must + * be considered invalid. + */ + public AuthenticationSession(long expires) { + this.expirationTimestamp = System.currentTimeMillis() + expires; + } + + /** + * Returns whether this authentication session is still valid (has not yet + * expired). + * + * @return + * true if this authentication session is still valid, false if it has + * expired. + */ + public boolean isValid() { + return System.currentTimeMillis() < expirationTimestamp; + } + +} diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AuthenticationSessionManager.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java similarity index 72% rename from extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AuthenticationSessionManager.java rename to extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java index 2e55d2cfc..7050c98be 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AuthenticationSessionManager.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.saml.acs; +package org.apache.guacamole.auth.sso; import com.google.common.base.Predicates; import com.google.inject.Inject; @@ -29,14 +29,17 @@ import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; /** - * Manager service that temporarily stores SAML authentication attempts while + * Manager service that temporarily stores a user's authentication status while * the authentication flow is underway. Authentication attempts are represented * as temporary authentication sessions, allowing authentication attempts to - * span multiple requests and redirects. Invalid or stale authentication + * span multiple requests, redirects, etc. Invalid or stale authentication * sessions are automatically purged from storage. + * + * @param + * The type of sessions managed by this session manager. */ @Singleton -public class AuthenticationSessionManager { +public class AuthenticationSessionManager { /** * Generator of arbitrary, unique, unpredictable identifiers. @@ -48,8 +51,7 @@ public class AuthenticationSessionManager { * Map of authentication session identifiers to their associated * {@link AuthenticationSession}. */ - private final ConcurrentMap sessions = - new ConcurrentHashMap<>(); + private final ConcurrentMap sessions = new ConcurrentHashMap<>(); /** * Executor service which runs the periodic cleanup task @@ -59,7 +61,7 @@ public class AuthenticationSessionManager { /** * Creates a new AuthenticationSessionManager that manages in-progress - * SAML authentication attempts. Invalid, stale sessions are automatically + * authentication attempts. Invalid, stale sessions are automatically * cleaned up. */ public AuthenticationSessionManager() { @@ -82,10 +84,10 @@ public class AuthenticationSessionManager { * was invoked, or null if the session is no longer valid or no such * value was returned by defer(). */ - public AuthenticationSession resume(String identifier) { + public T resume(String identifier) { if (identifier != null) { - AuthenticationSession session = sessions.remove(identifier); + T session = sessions.remove(identifier); if (session != null && session.isValid()) return session; } @@ -94,32 +96,6 @@ public class AuthenticationSessionManager { } - /** - * Returns the identity finally asserted by the SAML IdP at the end of the - * authentication process represented by the authentication session with - * the given identifier. If there is no such authentication session, or no - * valid identity has been asserted by the SAML IdP for that session, null - * is returned. - * - * @param identifier - * The unique string returned by the call to defer(). For convenience, - * this value may safely be null. - * - * @return - * The identity finally asserted by the SAML IdP at the end of the - * authentication process represented by the authentication session - * with the given identifier, or null if there is no such identity. - */ - public AssertedIdentity getIdentity(String identifier) { - - AuthenticationSession session = resume(identifier); - if (session != null) - return session.getIdentity(); - - return null; - - } - /** * Defers the Guacamole side of authentication for the user having the * given authentication session such that it may be later resumed through a @@ -129,14 +105,14 @@ public class AuthenticationSessionManager { * This method will automatically generate a new identifier. * * @param session - * The {@link AuthenticationSession} representing the in-progress SAML + * The {@link AuthenticationSession} representing the in-progress * authentication attempt. * * @return * A unique and unpredictable string that may be used to represent the * given session when calling resume(). */ - public String defer(AuthenticationSession session) { + public String defer(T session) { String identifier = idGenerator.generateIdentifier(); sessions.put(identifier, session); return identifier; @@ -152,20 +128,20 @@ public class AuthenticationSessionManager { * or similar unique identifier. * * @param session - * The {@link AuthenticationSession} representing the in-progress SAML + * The {@link AuthenticationSession} representing the in-progress * authentication attempt. * * @param identifier * A unique and unpredictable string that may be used to represent the * given session when calling resume(). */ - public void defer(AuthenticationSession session, String identifier) { + public void defer(T session, String identifier) { sessions.put(identifier, session); } /** * Shuts down the executor service that periodically removes all invalid - * authentication sessions. This must be invoked when the SAML extension is + * authentication sessions. This must be invoked when the auth extension is * shut down in order to avoid resource leaks. */ public void shutdown() { diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/IdentifierGenerator.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java similarity index 66% rename from extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/IdentifierGenerator.java rename to extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java index a2a3aae6a..799b31b13 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/IdentifierGenerator.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.saml.acs; +package org.apache.guacamole.auth.sso; import com.google.common.io.BaseEncoding; import com.google.inject.Singleton; @@ -26,7 +26,7 @@ import java.security.SecureRandom; /** * Generator of unique and unpredictable identifiers. Each generated identifier * is an arbitrary, random string produced using a cryptographically-secure - * random number generator and consists of at least 256 bits. + * random number generator. */ @Singleton public class IdentifierGenerator { @@ -43,10 +43,27 @@ public class IdentifierGenerator { * number generator. * * @return - * A unique and unpredictable identifier. + * A unique and unpredictable identifier with at least 256 bits of + * entropy. */ public String generateIdentifier() { - byte[] bytes = new byte[33]; + return generateIdentifier(256); + } + + /** + * Generates a unique and unpredictable identifier having at least the + * given number of bits of entropy. The resulting identifier may have more + * than the number of bits required. + * + * @param minBits + * The number of bits of entropy that the identifier should contain. + * + * @return + * A unique and unpredictable identifier with at least the given number + * of bits of entropy. + */ + public String generateIdentifier(int minBits) { + byte[] bytes = new byte[(minBits + 23) / 24 * 3]; // Round up to nearest multiple of 3 bytes, as base64 encodes blocks of 3 bytes at a time secureRandom.nextBytes(bytes); return BaseEncoding.base64().encode(bytes); } diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java index 7c41dd9d6..88fff881b 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java @@ -19,9 +19,8 @@ package org.apache.guacamole.auth.sso; +import com.google.inject.Inject; import com.google.inject.Singleton; -import java.math.BigInteger; -import java.security.SecureRandom; import java.util.Iterator; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; @@ -33,23 +32,28 @@ import java.util.concurrent.ConcurrentHashMap; public class NonceService { /** - * Cryptographically-secure random number generator for generating the - * required nonce. + * Generator of arbitrary, unique, unpredictable identifiers. */ - private final SecureRandom random = new SecureRandom(); + @Inject + private IdentifierGenerator idGenerator; /** * Map of all generated nonces to their corresponding expiration timestamps. * This Map must be periodically swept of expired nonces to avoid growing * without bound. */ - private final Map nonces = new ConcurrentHashMap(); + private final Map nonces = new ConcurrentHashMap<>(); /** * The timestamp of the last expired nonce sweep. */ private long lastSweep = System.currentTimeMillis(); + /** + * The minimum number of bits of entropy to include in each nonce. + */ + private static final int NONCE_BITS = 128; + /** * The minimum amount of time to wait between sweeping expired nonces from * the Map. @@ -102,7 +106,7 @@ public class NonceService { sweepExpiredNonces(); // Generate and store nonce, along with expiration timestamp - String nonce = new BigInteger(130, random).toString(32); + String nonce = idGenerator.generateIdentifier(NONCE_BITS); nonces.put(nonce, System.currentTimeMillis() + maxAge); return nonce; diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java index cdd53dec6..982028f16 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java @@ -28,7 +28,7 @@ import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.auth.saml.user.SAMLAuthenticatedUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.saml.acs.AssertedIdentity; -import org.apache.guacamole.auth.saml.acs.AuthenticationSessionManager; +import org.apache.guacamole.auth.saml.acs.SAMLAuthenticationSessionManager; import org.apache.guacamole.auth.saml.acs.SAMLService; import org.apache.guacamole.auth.sso.SSOAuthenticationProviderService; import org.apache.guacamole.form.Field; @@ -61,7 +61,7 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS * Manager of active SAML authentication attempts. */ @Inject - private AuthenticationSessionManager sessionManager; + private SAMLAuthenticationSessionManager sessionManager; /** * Service for processing SAML requests/responses. diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProviderModule.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProviderModule.java index 3c7300baa..7c7dd49ed 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProviderModule.java @@ -22,8 +22,7 @@ package org.apache.guacamole.auth.saml; import com.google.inject.AbstractModule; import org.apache.guacamole.auth.saml.conf.ConfigurationService; import org.apache.guacamole.auth.saml.acs.AssertionConsumerServiceResource; -import org.apache.guacamole.auth.saml.acs.AuthenticationSessionManager; -import org.apache.guacamole.auth.saml.acs.IdentifierGenerator; +import org.apache.guacamole.auth.saml.acs.SAMLAuthenticationSessionManager; import org.apache.guacamole.auth.saml.acs.SAMLService; /** @@ -34,9 +33,8 @@ public class SAMLAuthenticationProviderModule extends AbstractModule { @Override protected void configure() { bind(AssertionConsumerServiceResource.class); - bind(AuthenticationSessionManager.class); bind(ConfigurationService.class); - bind(IdentifierGenerator.class); + bind(SAMLAuthenticationSessionManager.class); bind(SAMLService.class); } diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AssertionConsumerServiceResource.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AssertionConsumerServiceResource.java index e316b3868..7aadc73f5 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AssertionConsumerServiceResource.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AssertionConsumerServiceResource.java @@ -56,7 +56,7 @@ public class AssertionConsumerServiceResource extends SSOResource { * Manager of active SAML authentication attempts. */ @Inject - private AuthenticationSessionManager sessionManager; + private SAMLAuthenticationSessionManager sessionManager; /** * Service for processing SAML requests/responses. @@ -107,7 +107,7 @@ public class AssertionConsumerServiceResource extends SSOResource { try { // Validate and parse identity asserted by SAML IdP - AuthenticationSession session = saml.processResponse( + SAMLAuthenticationSession session = saml.processResponse( consumedRequest.getRequestURL().toString(), relayState, samlResponse); diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AuthenticationSession.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java similarity index 77% rename from extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AuthenticationSession.java rename to extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java index b73bc7adb..bbd74e2a9 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AuthenticationSession.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java @@ -19,17 +19,12 @@ package org.apache.guacamole.auth.saml.acs; +import org.apache.guacamole.auth.sso.AuthenticationSession; + /** * Representation of an in-progress SAML authentication attempt. */ -public class AuthenticationSession { - - /** - * The absolute point in time after which this authentication session is - * invalid. This value is a UNIX epoch timestamp, as may be returned by - * {@link System#currentTimeMillis()}. - */ - private final long expirationTimestamp; +public class SAMLAuthenticationSession extends AuthenticationSession { /** * The request ID of the SAML request associated with the authentication @@ -55,24 +50,21 @@ public class AuthenticationSession { * The number of milliseconds that may elapse before this session must * be considered invalid. */ - public AuthenticationSession(String requestId, long expires) { - this.expirationTimestamp = System.currentTimeMillis() + expires; + public SAMLAuthenticationSession(String requestId, long expires) { + super(expires); this.requestId = requestId; } /** - * Returns whether this authentication session is still valid (has not yet - * expired). If an identity has been asserted by the SAML IdP, this + * {@inheritDoc} + * + *

If an identity has been asserted by the SAML IdP, this * considers also whether the SAML response asserting that identity has * expired. - * - * @return - * true if this authentication session is still valid, false if it has - * expired. */ + @Override public boolean isValid() { - return System.currentTimeMillis() < expirationTimestamp - && (identity == null || identity.isValid()); + return super.isValid() && (identity == null || identity.isValid()); } /** diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java new file mode 100644 index 000000000..4adf82f2c --- /dev/null +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.saml.acs; + +import com.google.inject.Singleton; +import org.apache.guacamole.auth.sso.AuthenticationSessionManager; + +/** + * Manager service that temporarily stores SAML authentication attempts while + * the authentication flow is underway. + */ +@Singleton +public class SAMLAuthenticationSessionManager + extends AuthenticationSessionManager { + + /** + * Returns the identity finally asserted by the SAML IdP at the end of the + * authentication process represented by the authentication session with + * the given identifier. If there is no such authentication session, or no + * valid identity has been asserted by the SAML IdP for that session, null + * is returned. + * + * @param identifier + * The unique string returned by the call to defer(). For convenience, + * this value may safely be null. + * + * @return + * The identity finally asserted by the SAML IdP at the end of the + * authentication process represented by the authentication session + * with the given identifier, or null if there is no such identity. + */ + public AssertedIdentity getIdentity(String identifier) { + + SAMLAuthenticationSession session = resume(identifier); + if (session != null) + return session.getIdentity(); + + return null; + + } + +} diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java index c3357eefb..2fe6da4c8 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java @@ -22,7 +22,6 @@ package org.apache.guacamole.auth.saml.acs; import com.google.inject.Inject; import com.google.inject.Singleton; import com.onelogin.saml2.Auth; -import com.onelogin.saml2.authn.AuthnRequest; import com.onelogin.saml2.authn.AuthnRequestParams; import com.onelogin.saml2.authn.SamlResponse; import com.onelogin.saml2.exception.SettingsException; @@ -37,6 +36,7 @@ import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.saml.conf.ConfigurationService; +import org.apache.guacamole.auth.sso.IdentifierGenerator; import org.xml.sax.SAXException; /** @@ -56,7 +56,7 @@ public class SAMLService { * Manager of active SAML authentication attempts. */ @Inject - private AuthenticationSessionManager sessionManager; + private SAMLAuthenticationSessionManager sessionManager; /** * Generator of arbitrary, unique, unpredictable identifiers. @@ -99,7 +99,7 @@ public class SAMLService { // Create a new authentication session to represent this attempt while // it is in progress, using the request ID that was just issued - AuthenticationSession session = new AuthenticationSession( + SAMLAuthenticationSession session = new SAMLAuthenticationSession( auth.getLastRequestId(), confService.getAuthenticationTimeout() * 60000L); @@ -127,7 +127,7 @@ public class SAMLService { /** * Processes the given SAML response, as received by the SAML ACS endpoint - * at the given URL, producing an {@link AuthenticationSession} that now + * at the given URL, producing an {@link SAMLAuthenticationSession} that now * includes a valid assertion of the user's identity. If the SAML response * is invalid in any way, an exception is thrown. * @@ -148,7 +148,7 @@ public class SAMLService { * given URL. * * @return - * The {@link AuthenticationSession} associated with the in-progress + * The {@link SAMLAuthenticationSession} associated with the in-progress * authentication attempt, now associated with the {@link AssertedIdentity} * representing the identity of the user asserted by the SAML IdP. * @@ -157,14 +157,14 @@ public class SAMLService { * information required to validate or decrypt the response cannot be * read. */ - public AuthenticationSession processResponse(String url, String relayState, + public SAMLAuthenticationSession processResponse(String url, String relayState, String encodedResponse) throws GuacamoleException { if (relayState == null) throw new GuacamoleSecurityException("\"RelayState\" value " + "is missing from SAML response."); - AuthenticationSession session = sessionManager.resume(relayState); + SAMLAuthenticationSession session = sessionManager.resume(relayState); if (session == null) throw new GuacamoleSecurityException("\"RelayState\" value " + "included with SAML response is not valid.");