Search in sources :

Example 1 with EncryptionProperties

use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.

the class TokenRenewOperation method renew.

public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        renewerParameters.setStsProperties(stsProperties);
        renewerParameters.setPrincipal(principal);
        renewerParameters.setMessageContext(messageContext);
        renewerParameters.setTokenStore(getTokenStore());
        renewerParameters.setKeyRequirements(keyRequirements);
        renewerParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
        if (renewTarget == null || renewTarget.getToken() == null) {
            throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
        }
        renewerParameters.setToken(renewTarget);
        if (tokenRequirements.getTokenType() == null) {
            LOG.fine("Received TokenType is null");
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        renewerParameters.setRealm(realm);
        // Validate the request
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            renewTarget.setState(STATE.INVALID);
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // Reject an invalid token
        if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
            LOG.fine("The token is not valid or expired, and so it cannot be renewed");
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // 
        // Renew the token
        // 
        TokenRenewerResponse tokenRenewerResponse = null;
        renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
        Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
        if (additionalProperties != null) {
            renewerParameters.setAdditionalProperties(additionalProperties);
        }
        renewerParameters.setRealm(tokenResponse.getTokenRealm());
        renewerParameters.setToken(tokenResponse.getToken());
        realm = tokenResponse.getTokenRealm();
        for (TokenRenewer tokenRenewer : tokenRenewers) {
            final boolean canHandle;
            if (realm == null) {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
            } else {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
            }
            if (canHandle) {
                try {
                    tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
                } catch (STSException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw ex;
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
            LOG.fine("No Token Renewer has been found that can handle this token");
            throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
        }
        // prepare response
        try {
            EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
            RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
            STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            cleanRequest(requestRequirements);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : STSRenewSuccessEvent(org.apache.cxf.sts.event.STSRenewSuccessEvent) TokenRenewerResponse(org.apache.cxf.sts.token.renewer.TokenRenewerResponse) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RealmParser(org.apache.cxf.sts.RealmParser) STSRenewFailureEvent(org.apache.cxf.sts.event.STSRenewFailureEvent) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenRenewerParameters(org.apache.cxf.sts.token.renewer.TokenRenewerParameters) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenRenewer(org.apache.cxf.sts.token.renewer.TokenRenewer)

Example 2 with EncryptionProperties

use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.

the class AbstractOperation method createTokenProviderParameters.

/**
 * Create a TokenProviderParameters object
 */
protected TokenProviderParameters createTokenProviderParameters(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext) {
    TokenProviderParameters providerParameters = new TokenProviderParameters();
    providerParameters.setStsProperties(stsProperties);
    providerParameters.setPrincipal(principal);
    providerParameters.setMessageContext(messageContext);
    providerParameters.setTokenStore(getTokenStore());
    providerParameters.setEncryptToken(encryptIssuedToken);
    KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
    TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
    providerParameters.setKeyRequirements(keyRequirements);
    providerParameters.setTokenRequirements(tokenRequirements);
    // Extract AppliesTo
    String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("The AppliesTo address that has been received is: " + address);
    }
    providerParameters.setAppliesToAddress(address);
    // Get the realm of the request
    if (stsProperties.getRealmParser() != null) {
        RealmParser realmParser = stsProperties.getRealmParser();
        String realm = realmParser.parseRealm(messageContext);
        providerParameters.setRealm(realm);
    }
    // Set the requested Claims
    ClaimCollection claims = tokenRequirements.getPrimaryClaims();
    providerParameters.setRequestedPrimaryClaims(claims);
    claims = tokenRequirements.getSecondaryClaims();
    providerParameters.setRequestedSecondaryClaims(claims);
    EncryptionProperties encryptionProperties = stsProperties.getEncryptionProperties();
    if (address != null) {
        boolean foundService = false;
        // Get the stored Service object corresponding to the Service endpoint
        if (services != null) {
            for (ServiceMBean service : services) {
                if (service.isAddressInEndpoints(address)) {
                    EncryptionProperties svcEncryptionProperties = service.getEncryptionProperties();
                    if (svcEncryptionProperties != null) {
                        encryptionProperties = svcEncryptionProperties;
                    }
                    if (tokenRequirements.getTokenType() == null) {
                        String tokenType = service.getTokenType();
                        tokenRequirements.setTokenType(tokenType);
                        LOG.fine("Using default token type of: " + tokenType);
                    }
                    if (keyRequirements.getKeyType() == null) {
                        String keyType = service.getKeyType();
                        keyRequirements.setKeyType(keyType);
                        LOG.fine("Using default key type of: " + keyType);
                    }
                    foundService = true;
                    break;
                }
            }
        }
        if (!foundService) {
            String msg = "No service corresponding to " + address + " is known. Check 'services' property configuration in SecurityTokenServiceProvider";
            LOG.log(Level.SEVERE, msg);
            throw new STSException(msg, STSException.REQUEST_FAILED);
        }
    }
    providerParameters.setEncryptionProperties(encryptionProperties);
    return providerParameters;
}
Also used : RealmParser(org.apache.cxf.sts.RealmParser) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 3 with EncryptionProperties

use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.

the class IssueUnitTest method createProviderParameters.

private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler, String username, String issuer) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();
    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);
    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    parameters.setKeyRequirements(keyRequirements);
    parameters.setPrincipal(new CustomTokenPrincipal(username));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);
    parameters.setAppliesToAddress("https://localhost:" + STSPORT + "/SecurityTokenService/b-issuer/Transport");
    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer(issuer);
    parameters.setStsProperties(stsProperties);
    parameters.setEncryptionProperties(new EncryptionProperties());
    return parameters;
}
Also used : CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) MessageImpl(org.apache.cxf.message.MessageImpl) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 4 with EncryptionProperties

use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.

the class IssueJWTOnbehalfofUnitTest method createProviderParameters.

private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();
    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);
    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    receivedCredential.setX509Cert(certs[0]);
    keyRequirements.setReceivedCredential(receivedCredential);
    parameters.setKeyRequirements(keyRequirements);
    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);
    parameters.setAppliesToAddress("http://dummy-service.com/dummy");
    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setEncryptionCrypto(crypto);
    parameters.setStsProperties(stsProperties);
    parameters.setEncryptionProperties(new EncryptionProperties());
    return parameters;
}
Also used : CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) CryptoType(org.apache.wss4j.common.crypto.CryptoType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) MessageImpl(org.apache.cxf.message.MessageImpl) X509Certificate(java.security.cert.X509Certificate) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)

Example 5 with EncryptionProperties

use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.

the class IssueSCTUnitTest method testIssueEncryptedSCT.

/**
 * Test to successfully issue an encrypted SecurityContextToken
 */
@org.junit.Test
public void testIssueEncryptedSCT() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    issueOperation.setTokenStore(tokenStore);
    issueOperation.setEncryptIssuedToken(true);
    // Add Token Provider
    issueOperation.setTokenProviders(Collections.singletonList(new SCTProvider()));
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    EncryptionProperties encryptionProperties = new EncryptionProperties();
    if (!unrestrictedPoliciesInstalled) {
        encryptionProperties.setEncryptionAlgorithm(WSS4JConstants.AES_128);
    }
    service.setEncryptionProperties(encryptionProperties);
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, STSUtils.TOKEN_TYPE_SCT_05_12);
    request.getAny().add(tokenType);
    request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Issue a token
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, principal, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertFalse(securityTokenResponse.isEmpty());
    // Test the generated token.
    Element securityContextToken = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            securityContextToken = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(securityContextToken);
    String tokenString = DOM2Writer.nodeToString(securityContextToken);
    assertFalse(tokenString.contains("SecurityContextToken"));
    assertFalse(tokenString.contains("Identifier"));
    assertTrue(tokenString, tokenString.contains("EncryptedData"));
}
Also used : SCTProvider(org.apache.cxf.sts.token.provider.SCTProvider) ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) StaticService(org.apache.cxf.sts.service.StaticService) RequestSecurityTokenResponseCollectionType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) JAXBElement(javax.xml.bind.JAXBElement) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SecurityContext(org.apache.cxf.security.SecurityContext) MessageImpl(org.apache.cxf.message.MessageImpl) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Aggregations

EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)56 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)51 MessageImpl (org.apache.cxf.message.MessageImpl)51 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)51 KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)46 TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)45 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)44 Crypto (org.apache.wss4j.common.crypto.Crypto)35 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)33 TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)28 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)11 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)10 STSException (org.apache.cxf.ws.security.sts.provider.STSException)10 JAXBElement (javax.xml.bind.JAXBElement)9 StaticService (org.apache.cxf.sts.service.StaticService)9 RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)9 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)9 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)6 ReceivedCredential (org.apache.cxf.sts.request.ReceivedCredential)4 CryptoType (org.apache.wss4j.common.crypto.CryptoType)4