Example 1 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project OpenAM by OpenRock.
the class SoapOpenIdConnectTokenProvider method createToken.
@Override
public TokenProviderResponse createToken(TokenProviderParameters tokenProviderParameters) {
try {
final TokenProviderResponse tokenProviderResponse = new TokenProviderResponse();
final SoapTokenProviderBase.AuthenticationContextMapperState mapperState = getAuthenticationContextMapperState(tokenProviderParameters);
String authNContextClassRef;
Set<String> authNMethodsReferences;
final List<WSHandlerResult> securityPolicyBindingTraversalYield = mapperState.getSecurityPolicyBindingTraversalYield();
if (mapperState.isDelegatedContext()) {
final ReceivedToken delegatedToken = mapperState.getDelegatedToken();
authNContextClassRef = authnContextMapper.getAuthnContextForDelegatedToken(securityPolicyBindingTraversalYield, delegatedToken);
authNMethodsReferences = methodsReferencesMapper.getAuthnMethodsReferencesForDelegatedToken(securityPolicyBindingTraversalYield, delegatedToken);
} else {
authNContextClassRef = authnContextMapper.getAuthnContext(securityPolicyBindingTraversalYield);
authNMethodsReferences = methodsReferencesMapper.getAuthnMethodsReferences(securityPolicyBindingTraversalYield);
}
String token;
try {
token = getAssertion(getValidationInvocationContext(tokenProviderParameters), authNContextClassRef, authNMethodsReferences, System.currentTimeMillis() / 1000, NULL_NONCE);
Element tokenElement = buildTokenElement(token);
tokenProviderResponse.setToken(tokenElement);
tokenProviderResponse.setTokenId(getTokenId(token));
return tokenProviderResponse;
} catch (TokenCreationException e) {
throw new AMSTSRuntimeException(e.getCode(), e.getMessage(), e);
}
} finally {
try {
amSessionInvalidator.invalidateAMSessions(threadLocalAMTokenCache.getToBeInvalidatedAMSessionIds());
} catch (Exception e) {
String message = "Exception caught invalidating interim AMSession in SoapOpenIdConnectTokenProvider: " + e;
logger.warn(message, e);
/*
The fact that the interim OpenAM session was not invalidated should not prevent a token from being issued, so
I will not throw a AMSTSRuntimeException
*/
}
}
}
Also used :
Element(org.w3c.dom.Element)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
SoapTokenProviderBase(org.forgerock.openam.sts.soap.token.provider.SoapTokenProviderBase)
WSHandlerResult(org.apache.ws.security.handler.WSHandlerResult)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
JwtReconstructionException(org.forgerock.json.jose.exceptions.JwtReconstructionException)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
JsonValueException(org.forgerock.json.JsonValueException)
ResourceException(org.forgerock.json.resource.ResourceException)
Example 2 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.
the class GuestValidator method validateToken.
@Override
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(ReceivedToken.STATE.INVALID);
GuestAuthenticationToken guestToken = getGuestTokenFromTarget(validateTarget);
response.setToken(validateTarget);
if (guestToken != null) {
response.setPrincipal(new GuestPrincipal(guestToken.getIpAddress()));
if (guestToken.getRealm() != null) {
if ((supportedRealm.contains(guestToken.getRealm()) || "*".equals(guestToken.getRealm())) && guestToken.getCredentials().equals(GuestAuthenticationToken.GUEST_CREDENTIALS) && validIpAddress(guestToken.getIpAddress())) {
validateTarget.setState(ReceivedToken.STATE.VALID);
validateTarget.setPrincipal(new GuestPrincipal(guestToken.getIpAddress()));
}
} else if (guestToken.getCredentials().equals(GuestAuthenticationToken.GUEST_CREDENTIALS) && validIpAddress(guestToken.getIpAddress())) {
validateTarget.setState(ReceivedToken.STATE.VALID);
validateTarget.setPrincipal(new GuestPrincipal(guestToken.getIpAddress()));
}
}
return response;
}
Also used :
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
GuestPrincipal(ddf.security.principal.GuestPrincipal)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Example 3 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.
the class GuestValidatorTest method setup.
@Before
public void setup() {
validator = new GuestValidator();
validator.setSupportedRealm(Arrays.asList("DDF"));
GuestAuthenticationToken guestAuthenticationToken = new GuestAuthenticationToken("DDF", "127.0.0.1");
GuestAuthenticationToken guestAuthenticationTokenAnyRealm = new GuestAuthenticationToken("*", "127.0.0.1");
GuestAuthenticationToken guestAuthenticationTokenIpv6 = new GuestAuthenticationToken("*", "0:0:0:0:0:0:0:1");
GuestAuthenticationToken guestAuthenticationTokenIpv6Reachability = new GuestAuthenticationToken("*", "0:0:0:0:0:0:0:1%4");
BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
binarySecurityTokenType.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenType.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenType.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenType.setValue(guestAuthenticationToken.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElement = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenType);
BinarySecurityTokenType binarySecurityTokenTypeBadToken = new BinarySecurityTokenType();
binarySecurityTokenTypeBadToken.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeBadToken.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeBadToken.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeBadToken.setValue(Base64.getEncoder().encodeToString("NotGuest".getBytes()));
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementBadToken = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeBadToken);
BinarySecurityTokenType binarySecurityTokenTypeAnyRealm = new BinarySecurityTokenType();
binarySecurityTokenTypeAnyRealm.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeAnyRealm.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeAnyRealm.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeAnyRealm.setValue(guestAuthenticationTokenAnyRealm.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementAnyRealm = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeAnyRealm);
BinarySecurityTokenType binarySecurityTokenTypeIpv6 = new BinarySecurityTokenType();
binarySecurityTokenTypeIpv6.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeIpv6.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeIpv6.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeIpv6.setValue(guestAuthenticationTokenIpv6.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementIpv6 = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeIpv6);
BinarySecurityTokenType binarySecurityTokenTypeIpv6Reachability = new BinarySecurityTokenType();
binarySecurityTokenTypeIpv6Reachability.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeIpv6Reachability.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeIpv6Reachability.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeIpv6Reachability.setValue(guestAuthenticationTokenIpv6Reachability.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementIpv6Reachability = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeIpv6Reachability);
receivedToken = new ReceivedToken(binarySecurityTokenElement);
receivedAnyRealmToken = new ReceivedToken(binarySecurityTokenElementAnyRealm);
receivedBadToken = new ReceivedToken(binarySecurityTokenElementBadToken);
receivedTokenIpv6 = new ReceivedToken(binarySecurityTokenElementIpv6);
receivedTokenIpv6Reachability = new ReceivedToken(binarySecurityTokenElementIpv6Reachability);
parameters = new TokenValidatorParameters();
parameters.setToken(receivedToken);
}
Also used :
TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)
QName(javax.xml.namespace.QName)
JAXBElement(javax.xml.bind.JAXBElement)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Before(org.junit.Before)
Example 4 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.
the class BSTDelegationHandler method isDelegationAllowed.
public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenParameters) {
TokenDelegationResponse response = new TokenDelegationResponse();
ReceivedToken delegateTarget = tokenParameters.getToken();
response.setToken(delegateTarget);
Object token = delegateTarget.getToken();
if (token instanceof BinarySecurityTokenType) {
response.setDelegationAllowed(true);
}
return response;
}
Also used :
BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse)
Example 5 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.
the class TestBSTDelegationHandler method testDelegationNotAllowed.
@Test
public void testDelegationNotAllowed() {
UsernameTokenType binarySecurityTokenType = new UsernameTokenType();
ReceivedToken receivedToken = mock(ReceivedToken.class);
when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
TokenDelegationParameters tokenDelegationParameters = mock(TokenDelegationParameters.class);
when(tokenDelegationParameters.getToken()).thenReturn(receivedToken);
BSTDelegationHandler bstDelegationHandler = new BSTDelegationHandler();
TokenDelegationResponse response = bstDelegationHandler.isDelegationAllowed(tokenDelegationParameters);
assertEquals(false, response.isDelegationAllowed());
}
Also used :
TokenDelegationParameters(org.apache.cxf.sts.token.delegation.TokenDelegationParameters)
UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse)
Test(org.junit.Test)
Aggregations
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)117
Crypto (org.apache.wss4j.common.crypto.Crypto)59
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)55
Element (org.w3c.dom.Element)44
TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)43
CallbackHandler (javax.security.auth.callback.CallbackHandler)42
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)38
Document (org.w3c.dom.Document)37
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)35
TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)33
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)27
Principal (java.security.Principal)25
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)25
Test (org.junit.Test)25
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)22
STSException (org.apache.cxf.ws.security.sts.provider.STSException)19
TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)13
TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)13
TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)13
RequestData (org.apache.wss4j.dom.handler.RequestData)13
