Search in sources :

Example 1 with BinarySecurityToken

use of com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken in project OpenAM by OpenRock.

the class DiscoveryService method processRequest.

/**
     * Processes request.
     * @param request in coming request <code>Message</code>
     * @return response <code>Message</code>
     * @exception Exception if an error occurred during the process.
     */
public Message processRequest(Message request) throws Exception {
    List bodies = request.getBodies();
    bodies = Utils.convertElementToJAXB(bodies);
    if (!(bodies.size() == 1)) {
        // log it
        DiscoUtils.debug.error("DiscoService.processRequest: SOAP message" + " didn't contain one SOAP body.");
        throw new Exception(DiscoUtils.bundle.getString("oneBody"));
    }
    String authnMech = request.getAuthenticationMechanism();
    if (DiscoUtils.debug.messageEnabled()) {
        DiscoUtils.debug.message("DiscoService.processRequest: " + "authentication mechanism =" + authnMech);
    }
    Set authnMechs = DiscoServiceManager.getSupportedAuthenticationMechanisms();
    if ((authnMechs == null) || (!authnMechs.contains(authnMech))) {
        DiscoUtils.debug.error("DiscoService.processRequest: Authentication" + "Mechanism used is not supported by this service:" + authnMech);
        throw new Exception(DiscoUtils.bundle.getString("authnMechNotSupported"));
    }
    Message message = null;
    ProviderHeader provH = null;
    try {
        provH = new ProviderHeader(DiscoServiceManager.getDiscoProviderID());
    } catch (SOAPBindingException sbe) {
        throw new DiscoveryException(sbe.getMessage());
    }
    if (DiscoServiceManager.useResponseAuthentication() || (authnMech.equals(Message.NULL_X509)) || (authnMech.equals(Message.NULL_SAML)) || (authnMech.equals(Message.NULL_BEARER)) || (authnMech.equals(Message.TLS_X509)) || (authnMech.equals(Message.TLS_SAML)) || (authnMech.equals(Message.TLS_BEARER)) || (authnMech.equals(Message.CLIENT_TLS_X509)) || (authnMech.equals(Message.CLIENT_TLS_SAML)) || (authnMech.equals(Message.CLIENT_TLS_BEARER)) || (authnMech.equals(Message.NULL_X509_WSF11)) || (authnMech.equals(Message.NULL_SAML_WSF11)) || (authnMech.equals(Message.NULL_BEARER_WSF11)) || (authnMech.equals(Message.TLS_X509_WSF11)) || (authnMech.equals(Message.TLS_SAML_WSF11)) || (authnMech.equals(Message.TLS_BEARER_WSF11)) || (authnMech.equals(Message.CLIENT_TLS_X509_WSF11)) || (authnMech.equals(Message.CLIENT_TLS_SAML_WSF11)) || (authnMech.equals(Message.CLIENT_TLS_BEARER_WSF11))) {
        try {
            SecurityTokenManager stm = new SecurityTokenManager(request.getToken());
            BinarySecurityToken binaryToken = stm.getX509CertificateToken();
            binaryToken.setWSFVersion(request.getWSFVersion());
            message = new Message(provH, binaryToken);
            message.setWSFVersion(request.getWSFVersion());
        } catch (Exception e) {
            DiscoUtils.debug.error("DiscoveryService.processRequest:" + "couldn't generate Message with X509 token: ", e);
            throw new DiscoveryException(e.getMessage());
        }
    } else {
        try {
            message = new Message(provH);
        } catch (Exception e) {
            DiscoUtils.debug.error("DiscoveryService.processRequest:" + "couldn't generate Message: ", e);
            throw new DiscoveryException(e.getMessage());
        }
    }
    Object body = bodies.iterator().next();
    if (body instanceof QueryType) {
        message.setSOAPBody(lookup((QueryType) body, request));
    } else if (body instanceof ModifyType) {
        message.setSOAPBody(Utils.convertJAXBToElement(update((ModifyType) body, request)));
    } else {
        DiscoUtils.debug.error("DiscoService.processRequest: SOAPBody " + "is not a Disco message.");
        throw new Exception(DiscoUtils.bundle.getString("bodyNotDisco"));
    }
    //message.setOtherHeader()
    return message;
}
Also used : BinarySecurityToken(com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken) Set(java.util.Set) JAXBException(javax.xml.bind.JAXBException) List(java.util.List)

Example 2 with BinarySecurityToken

use of com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken in project OpenAM by OpenRock.

the class Message method parseSecurityElement.

/**
     * Sets security profile type by parsing a security element.
     *
     * @param se a security element
     * @throws SOAPBindingException if an error occurs while parsing
     *                              the security element
     */
private void parseSecurityElement(Element securityE) throws SOAPBindingException {
    if (securityE == null) {
        securityProfileType = ANONYMOUS;
        return;
    }
    String wsseNS = securityE.getNamespaceURI();
    if (wsseNS == null) {
        securityProfileType = ANONYMOUS;
        return;
    }
    String wsuNS = null;
    if (wsseNS.equals(WSSEConstants.NS_WSSE_WSF11)) {
        wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
        wsuNS = WSSEConstants.NS_WSU_WSF11;
    } else if (wsseNS.equals(WSSEConstants.NS_WSSE)) {
        wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
        wsuNS = WSSEConstants.NS_WSU;
    } else {
        securityProfileType = ANONYMOUS;
        return;
    }
    NodeList nl = securityE.getElementsByTagNameNS(wsseNS, SAMLConstants.TAG_SECURITYTOKENREFERENCE);
    Element securityTokenRefE = null;
    String uri = null;
    if (nl != null && nl.getLength() > 0) {
        securityTokenRefE = (Element) nl.item(0);
        List list = XMLUtils.getElementsByTagNameNS1(securityTokenRefE, wsseNS, SAMLConstants.TAG_REFERENCE);
        if (!list.isEmpty()) {
            Element referenceE = (Element) list.get(0);
            uri = XMLUtils.getNodeAttributeValue(referenceE, SAMLConstants.TAG_URI);
            if (uri != null && uri.length() > 1 && uri.startsWith("#")) {
                uri = uri.substring(1);
            } else {
                String msg = Utils.bundle.getString("invalidReferenceURI");
                Utils.debug.error("Message.parseSecurityElement: " + msg);
                throw new SOAPBindingException(msg);
            }
            if (Utils.debug.messageEnabled()) {
                Utils.debug.message("Message.parseSecurityElement: " + "SecurityTokenReference Reference URI = " + uri);
            }
        }
    }
    securityProfileType = ANONYMOUS;
    securityHeaders = new ArrayList();
    nl = securityE.getChildNodes();
    int length = nl.getLength();
    for (int i = 0; i < length; i++) {
        Node child = nl.item(i);
        if (child.getNodeType() == Node.ELEMENT_NODE) {
            String localName = child.getLocalName();
            String ns = child.getNamespaceURI();
            if (securityProfileType != ANONYMOUS) {
                securityHeaders.add(child);
                continue;
            }
            if (SAMLConstants.BINARYSECURITYTOKEN.equals(localName) && wsseNS.equals(ns)) {
                Element binarySecurityTokenE = (Element) child;
                String valuetype = XMLUtils.getNodeAttributeValue(binarySecurityTokenE, "ValueType");
                Utils.debug.message("ValueType: " + valuetype);
                if ((valuetype != null) && valuetype.endsWith("ServiceSessionContext")) {
                    securityHeaders.add(child);
                    continue;
                }
                if (uri != null) {
                    String id = XMLUtils.getNodeAttributeValueNS(binarySecurityTokenE, wsuNS, SAMLConstants.TAG_ID);
                    if (!uri.equals(id)) {
                        securityHeaders.add(child);
                        continue;
                    }
                }
                try {
                    binarySecurityToken = new BinarySecurityToken(binarySecurityTokenE);
                    messageCertificate = (X509Certificate) SecurityUtils.getCertificate(binarySecurityToken);
                } catch (Exception ex) {
                    String msg = Utils.bundle.getString("cannotProcessBinarySecurityToken");
                    Utils.debug.error("Message.parseSecurityElement: " + msg);
                    throw new SOAPBindingException(msg);
                }
                if (Utils.debug.messageEnabled()) {
                    Utils.debug.message("Message.parseSecurityElement:" + " found binary security token");
                }
                securityProfileType = X509_TOKEN;
            } else if (SAMLConstants.TAG_ASSERTION.equals(localName) && SAMLConstants.assertionSAMLNameSpaceURI.equals(ns)) {
                Element assertionE = (Element) child;
                if (uri != null) {
                    String assertionID = XMLUtils.getNodeAttributeValue(assertionE, SAMLConstants.TAG_ASSERTION_ID);
                    if (!uri.equals(assertionID)) {
                        securityHeaders.add(child);
                        continue;
                    }
                }
                try {
                    assertion = new SecurityAssertion(assertionE);
                } catch (SAMLException ex) {
                    String msg = Utils.bundle.getString("cannotProcessSAMLAssertion");
                    Utils.debug.error("Message.parseSecurityElement: " + msg);
                    throw new SOAPBindingException(msg);
                }
                if (Utils.debug.messageEnabled()) {
                    Utils.debug.message("Message.parseSecurityElement:" + " found security assertion, " + "isBearer = " + assertion.isBearer());
                }
                if (assertion.isBearer()) {
                    securityProfileType = BEARER_TOKEN;
                } else {
                    securityProfileType = SAML_TOKEN;
                    messageCertificate = (X509Certificate) SecurityUtils.getCertificate(assertion);
                }
            } else {
                securityHeaders.add(child);
            }
        }
    }
    if (securityHeaders.isEmpty()) {
        securityHeaders = null;
    }
}
Also used : BinarySecurityToken(com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken) NodeList(org.w3c.dom.NodeList) Element(org.w3c.dom.Element) Node(org.w3c.dom.Node) ArrayList(java.util.ArrayList) SecurityAssertion(com.sun.identity.liberty.ws.security.SecurityAssertion) SAMLException(com.sun.identity.saml.common.SAMLException) SAMLException(com.sun.identity.saml.common.SAMLException) JAXBException(javax.xml.bind.JAXBException) X509Certificate(java.security.cert.X509Certificate) ArrayList(java.util.ArrayList) NodeList(org.w3c.dom.NodeList) List(java.util.List)

Example 3 with BinarySecurityToken

use of com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken in project OpenAM by OpenRock.

the class MessageProcessor method signMessage.

/**
     * Signs the message.
     * @param soapMessage SOAPMessage that needs to be signed.
     * @param profile Security profile that needs to be used for signing.
     * @param assertion Security Assertion
     * @return SOAPMessage signed SOAPMessage.
     */
private SOAPMessage signMessage(SOAPMessage soapMessage, String profile, SecurityAssertion assertion) throws SOAPBindingException {
    try {
        SOAPHeader soapHeader = soapMessage.getSOAPPart().getEnvelope().getHeader();
        if (soapHeader == null) {
            soapMessage.getSOAPPart().getEnvelope().addHeader();
        }
        SOAPBody soapBody = soapMessage.getSOAPPart().getEnvelope().getBody();
        if (soapBody == null) {
            throw new SOAPBindingException(Utils.bundle.getString("nullSOAPBody"));
        }
        String bodyId = SAMLUtils.generateID();
        soapBody.setAttributeNS(WSSEConstants.NS_WSU_WSF11, WSSEConstants.WSU_ID, bodyId);
        List ids = new ArrayList();
        ids.add(bodyId);
        if (correlationId != null) {
            ids.add(correlationId);
        }
        Certificate cert = null;
        Element sigElem = null;
        ByteArrayInputStream bin = null;
        ByteArrayOutputStream bop = new ByteArrayOutputStream();
        Document doc = null;
        if (profile == null || profile.equals(Message.NULL_X509) || profile.equals(Message.TLS_X509) || profile.equals(Message.CLIENT_TLS_X509) || profile.equals(Message.NULL_X509_WSF11) || profile.equals(Message.TLS_X509_WSF11) || profile.equals(Message.CLIENT_TLS_X509_WSF11)) {
            BinarySecurityToken binaryToken = addBinaryToken(soapMessage);
            cert = SecurityUtils.getCertificate(binaryToken);
            soapMessage.writeTo(bop);
            bin = new ByteArrayInputStream(bop.toByteArray());
            doc = XMLUtils.toDOMDocument(bin, Utils.debug);
            sigElem = SecurityUtils.getSignatureManager().signWithWSSX509TokenProfile(doc, cert, "", ids, SOAPBindingConstants.WSF_11_VERSION);
        } else if (profile.equals(Message.NULL_SAML) || profile.equals(Message.TLS_SAML) || profile.equals(Message.CLIENT_TLS_SAML) || profile.equals(Message.NULL_SAML_WSF11) || profile.equals(Message.TLS_SAML_WSF11) || profile.equals(Message.CLIENT_TLS_SAML_WSF11)) {
            cert = SecurityUtils.getCertificate(assertion);
            soapMessage.writeTo(bop);
            new ByteArrayInputStream(bop.toByteArray());
            bin = new ByteArrayInputStream(bop.toByteArray());
            doc = XMLUtils.toDOMDocument(bin, Utils.debug);
            sigElem = SecurityUtils.getSignatureManager().signWithWSSSAMLTokenProfile(doc, cert, assertion.getAssertionID(), "", ids, SOAPBindingConstants.WSF_11_VERSION);
        }
        if (sigElem == null) {
            Utils.debug.error("MessageProcessor.signMessage: " + "SigElement is null");
            throw new SOAPBindingException(Utils.bundle.getString("cannotSignMessage"));
        }
        Element securityHeader = getSecurityHeader(soapMessage);
        securityHeader.appendChild(securityHeader.getOwnerDocument().importNode(sigElem, true));
        return Utils.DocumentToSOAPMessage(sigElem.getOwnerDocument());
    } catch (Exception ex) {
        Utils.debug.error("MessageProcessor.signMessage: " + "Signing failed.", ex);
        throw new SOAPBindingException(Utils.bundle.getString("cannotSignMessage"));
    }
}
Also used : BinarySecurityToken(com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Document(org.w3c.dom.Document) SOAPException(javax.xml.soap.SOAPException) SOAPBody(javax.xml.soap.SOAPBody) ByteArrayInputStream(java.io.ByteArrayInputStream) ArrayList(java.util.ArrayList) NodeList(org.w3c.dom.NodeList) List(java.util.List) SOAPHeader(javax.xml.soap.SOAPHeader) Certificate(java.security.cert.Certificate)

Example 4 with BinarySecurityToken

use of com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken in project OpenAM by OpenRock.

the class MessageProcessor method addBinaryToken.

/**
     * Adds binary token to the security header.
     */
private BinarySecurityToken addBinaryToken(SOAPMessage msg) throws SOAPBindingException {
    try {
        SOAPHeader header = msg.getSOAPPart().getEnvelope().getHeader();
        if (header == null) {
            header = msg.getSOAPPart().getEnvelope().addHeader();
        }
        SecurityTokenManager manager = new SecurityTokenManager(null);
        BinarySecurityToken binaryToken = manager.getX509CertificateToken();
        binaryToken.setWSFVersion(SOAPBindingConstants.WSF_11_VERSION);
        binaryToken.addToParent(header);
        return binaryToken;
    } catch (Exception ex) {
        Utils.debug.error("MessageProcessor.addBinaryToken: " + "Could not add binary security token", ex);
        throw new SOAPBindingException(Utils.bundle.getString("cannotAddCorrelationHeader"));
    }
}
Also used : BinarySecurityToken(com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken) SecurityTokenManager(com.sun.identity.liberty.ws.security.SecurityTokenManager) SOAPHeader(javax.xml.soap.SOAPHeader) SOAPException(javax.xml.soap.SOAPException)

Example 5 with BinarySecurityToken

use of com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken in project OpenAM by OpenRock.

the class DSTRequestHandler method generateBinarySecurityToken.

/**
     * Generates the binary security token if the security profile is X509.
     * @param msg Request Message. 
     * @return BinarySecurityToken.
     * @exception DSTException.
     */
private BinarySecurityToken generateBinarySecurityToken(Message msg) throws DSTException {
    try {
        SecurityTokenManager manager = new SecurityTokenManager(msg.getToken());
        BinarySecurityToken binaryToken = manager.getX509CertificateToken();
        binaryToken.setWSFVersion(msg.getWSFVersion());
        return binaryToken;
    } catch (Exception e) {
        DSTUtils.debug.error("DSTRequestHandler:generateBinary" + "SecurityToken: Error in generating binary security token.", e);
        throw new DSTException(e);
    }
}
Also used : BinarySecurityToken(com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken) SecurityTokenManager(com.sun.identity.liberty.ws.security.SecurityTokenManager) DSTException(com.sun.identity.liberty.ws.dst.DSTException) SOAPFaultException(com.sun.identity.liberty.ws.soapbinding.SOAPFaultException) DSTException(com.sun.identity.liberty.ws.dst.DSTException)

Aggregations

BinarySecurityToken (com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken)5 List (java.util.List)3 SecurityTokenManager (com.sun.identity.liberty.ws.security.SecurityTokenManager)2 ArrayList (java.util.ArrayList)2 JAXBException (javax.xml.bind.JAXBException)2 SOAPException (javax.xml.soap.SOAPException)2 SOAPHeader (javax.xml.soap.SOAPHeader)2 Element (org.w3c.dom.Element)2 NodeList (org.w3c.dom.NodeList)2 DSTException (com.sun.identity.liberty.ws.dst.DSTException)1 SecurityAssertion (com.sun.identity.liberty.ws.security.SecurityAssertion)1 SOAPFaultException (com.sun.identity.liberty.ws.soapbinding.SOAPFaultException)1 SAMLException (com.sun.identity.saml.common.SAMLException)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 Certificate (java.security.cert.Certificate)1 X509Certificate (java.security.cert.X509Certificate)1 Set (java.util.Set)1 SOAPBody (javax.xml.soap.SOAPBody)1 Document (org.w3c.dom.Document)1