Search in sources :

Example 1 with EncryptedResourceID

use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.

the class DSTClient method parseResourceOffering.

/**
     * Parses the given discovery resource offering for the Data service.
     * @param offering ResourceOffering 
     * @exception DSTException.
     */
private void parseResourceOffering(ResourceOffering offering) throws DSTException {
    //Try for the encrypted resource offering first;
    encryptedResourceID = offering.getEncryptedResourceID();
    if (encryptedResourceID != null) {
        isEncryptedResourceID = true;
    } else {
        ResourceID resID = offering.getResourceID();
        if (resID == null) {
            DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "No ResourceID");
            throw new DSTException(DSTUtils.bundle.getString("noResourceID"));
        }
        resourceID = resID.getResourceID();
    }
    ServiceInstance serviceInstance = offering.getServiceInstance();
    // providerID = serviceInstance.getProviderID();
    if (serviceInstance == null) {
        DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "No service instance.");
        throw new DSTException(DSTUtils.bundle.getString("noServiceInstance"));
    }
    serviceType = serviceInstance.getServiceType();
    if (serviceType == null) {
        DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "service type is null.");
        throw new DSTException(DSTUtils.bundle.getString("noServiceType"));
    }
    List descriptions = serviceInstance.getDescription();
    if (descriptions == null || descriptions.isEmpty()) {
        DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "descriptions are null.");
        throw new DSTException(DSTUtils.bundle.getString("noDescriptions"));
    }
    // A service instance can have mutiple descriptions. In this case,
    // we will try to use a valid description. 
    Iterator iter = descriptions.iterator();
    while (iter.hasNext()) {
        Description description = (Description) iter.next();
        soapAction = description.getSoapAction();
        soapURI = description.getEndpoint();
        if (soapURI == null || soapURI.length() == 0) {
            continue;
        }
        List secMechIDs = description.getSecurityMechID();
        if (secMechIDs == null || secMechIDs.isEmpty()) {
            continue;
        }
        boolean foundProfile = false;
        int size = secMechIDs.size();
        for (int i = 0; i < size; i++) {
            String secProfile = (String) secMechIDs.get(i);
            secProfile = secProfile.trim();
            if (secProfile.equals(Message.NULL_NULL) || secProfile.equals(Message.TLS_NULL) || secProfile.equals(Message.CLIENT_TLS_NULL)) {
                securityProfile = Message.ANONYMOUS;
                if (secProfile.equals(Message.CLIENT_TLS_NULL)) {
                    clientAuthEnabled = true;
                }
                foundProfile = true;
                break;
            } else if (secProfile.equals(Message.NULL_X509) || secProfile.equals(Message.TLS_X509) || secProfile.equals(Message.CLIENT_TLS_X509) || secProfile.equals(Message.NULL_X509_WSF11) || secProfile.equals(Message.TLS_X509_WSF11) || secProfile.equals(Message.CLIENT_TLS_X509_WSF11)) {
                securityProfile = Message.X509_TOKEN;
                if (secProfile.equals(Message.NULL_X509) || secProfile.equals(Message.TLS_X509) || secProfile.equals(Message.CLIENT_TLS_X509)) {
                    wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
                } else {
                    wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
                }
                securityProfile = Message.X509_TOKEN;
                if (secProfile.equals(Message.CLIENT_TLS_X509) || secProfile.equals(Message.CLIENT_TLS_X509_WSF11)) {
                    clientAuthEnabled = true;
                }
                foundProfile = true;
                break;
            } else if (secProfile.equals(Message.NULL_SAML) || secProfile.equals(Message.TLS_SAML) || secProfile.equals(Message.CLIENT_TLS_SAML) || secProfile.equals(Message.NULL_SAML_WSF11) || secProfile.equals(Message.TLS_SAML_WSF11) || secProfile.equals(Message.CLIENT_TLS_SAML_WSF11)) {
                securityProfile = Message.SAML_TOKEN;
                if (secProfile.equals(Message.NULL_SAML) || secProfile.equals(Message.TLS_SAML) || secProfile.equals(Message.CLIENT_TLS_SAML)) {
                    wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
                } else {
                    wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
                }
                if (secProfile.equals(Message.CLIENT_TLS_SAML) || secProfile.equals(Message.CLIENT_TLS_SAML_WSF11)) {
                    clientAuthEnabled = true;
                }
                foundProfile = true;
                break;
            } else if (secProfile.equals(Message.NULL_BEARER) || secProfile.equals(Message.TLS_BEARER) || secProfile.equals(Message.CLIENT_TLS_BEARER) || secProfile.equals(Message.NULL_BEARER_WSF11) || secProfile.equals(Message.TLS_BEARER_WSF11) || secProfile.equals(Message.CLIENT_TLS_BEARER_WSF11)) {
                securityProfile = Message.BEARER_TOKEN;
                if (secProfile.equals(Message.NULL_BEARER) || secProfile.equals(Message.TLS_BEARER) || secProfile.equals(Message.CLIENT_TLS_BEARER)) {
                    wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
                } else {
                    wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
                }
                if (secProfile.equals(Message.CLIENT_TLS_BEARER) || secProfile.equals(Message.CLIENT_TLS_BEARER_WSF11)) {
                    clientAuthEnabled = true;
                }
                foundProfile = true;
                break;
            }
        }
        if (foundProfile) {
            break;
        }
    }
    if (soapURI == null) {
        DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "SOAP Endpoint or security profile is null");
        throw new DSTException(DSTUtils.bundle.getString("invalidResourceOffering"));
    }
    if (DSTUtils.debug.messageEnabled()) {
        DSTUtils.debug.message("DSTClient.parseResourceOffering:" + "soapURI = " + soapURI + "soapAction = " + soapAction + "securityProfile = " + securityProfile);
    }
}
Also used : Description(com.sun.identity.liberty.ws.disco.Description) EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) ResourceID(com.sun.identity.liberty.ws.disco.ResourceID) Iterator(java.util.Iterator) ServiceInstance(com.sun.identity.liberty.ws.disco.ServiceInstance) ArrayList(java.util.ArrayList) List(java.util.List)

Example 2 with EncryptedResourceID

use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.

the class DiscoUtils method generateCredential.

private static String generateCredential(BitSet dirs, ResourceOffering current, Message message, String userDN, List credentials, SessionContext invoSession, String wscID, Object token) {
    SecurityAssertion assertion = null;
    try {
        SecurityTokenManager secuMgr = new SecurityTokenManager(token);
        NameIdentifier senderIdentity = null;
        String providerID = wscID;
        if ((providerID == null) || (providerID.length() == 0)) {
            ProviderHeader ph = message.getProviderHeader();
            if (ph != null) {
                providerID = ph.getProviderID();
            }
        }
        SessionContext invocatorSession = invoSession;
        if (invocatorSession == null) {
            invocatorSession = getSessionContext(message.getAssertion());
        }
        String tproviderID = current.getServiceInstance().getProviderID();
        if (invocatorSession != null) {
            try {
                ProviderManager pm = ProviderUtil.getProviderManager();
                SessionSubject sub = invocatorSession.getSessionSubject();
                NameIdentifier ni = sub.getNameIdentifier();
                if ((ni.getFormat() != null) && (ni.getFormat().equals("urn:liberty:iff:nameid:encrypted"))) {
                    ni = EncryptedNameIdentifier.getDecryptedNameIdentifier(ni, pm.getDecryptionKey(DiscoServiceManager.getDiscoProviderID()));
                }
                NameIdentifier newNi = null;
                NameIdentifierMapper niMapper = DiscoServiceManager.getNameIdentifierMapper();
                if (niMapper != null) {
                    String discoEntityID = DiscoServiceManager.getDiscoProviderID();
                    newNi = niMapper.getNameIdentifier(tproviderID, discoEntityID, ni, userDN);
                }
                if ((newNi != null) && !newNi.equals(ni)) {
                    sub.setNameIdentifier(newNi);
                    // modify IDPProvidedNameIdentifier, this should be
                    // a EncryptedIDPProvidedNameIdentifier, but not 
                    // defined by specification.
                    // Or set this to null once we make it optional
                    // in SessionSubject class implementation 
                    IDPProvidedNameIdentifier idpNi = sub.getIDPProvidedNameIdentifier();
                    if (idpNi != null) {
                        IDPProvidedNameIdentifier newIdpNi = new IDPProvidedNameIdentifier(newNi.getName(), newNi.getNameQualifier(), newNi.getFormat());
                        sub.setIDPProvidedNameIdentifier(newIdpNi);
                    }
                } else if (pm.isNameIDEncryptionEnabled(tproviderID)) {
                    sub.setNameIdentifier(EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, tproviderID, pm.getEncryptionKey(tproviderID), pm.getEncryptionKeyAlgorithm(tproviderID), pm.getEncryptionKeyStrength(tproviderID)));
                } else {
                    sub.setNameIdentifier(ni);
                }
                invocatorSession.setSessionSubject(sub);
            } catch (Exception ex) {
                debug.error("DiscoUtils.handleDirective: En/Decryption" + " Exception:", ex);
                return null;
            }
        }
        Object resourceID = current.getEncryptedResourceID();
        if (resourceID == null) {
            resourceID = current.getResourceID();
            if (resourceID == null) {
                resourceID = (String) DiscoConstants.IMPLIED_RESOURCE;
            } else {
                resourceID = ((ResourceID) resourceID).getResourceID();
            }
        }
        if (dirs.get(BEARER)) {
            if (dirs.get(AUTHN) || dirs.get(AUTHO) || dirs.get(SESSION)) {
                if ((providerID != null) && (providerID.length() != 0)) {
                    senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
                } else {
                    senderIdentity = new NameIdentifier(userDN);
                }
                if (resourceID instanceof String) {
                    assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
                } else {
                    assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
                }
            }
        } else {
            if ((providerID != null) && (providerID.length() != 0)) {
                senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
            } else {
                senderIdentity = new NameIdentifier(userDN);
            }
            if (providerID != null) {
                secuMgr.setCertAlias(ProviderUtil.getProviderManager().getSigningKeyAlias(providerID));
            } else {
                X509Certificate wscCert = message.getPeerCertificate();
                if (wscCert == null) {
                    wscCert = message.getMessageCertificate();
                    if (wscCert == null) {
                        if (debug.messageEnabled()) {
                            debug.message("DiscoUtils.generateCredential:" + "client cert is null. Cannot generate " + "credential.");
                        }
                        return null;
                    }
                }
                secuMgr.setCertificate(wscCert);
            }
            if (resourceID instanceof String) {
                assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
            } else {
                assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
            }
        }
    } catch (Exception ex) {
        debug.error("DiscoUtils.generateCredential:" + "cannot generate credential: ", ex);
    }
    if (assertion == null) {
        debug.error("DiscoUtils.generateCredential: " + "cannot generate credential.");
        return null;
    } else {
        credentials.add(assertion);
        return assertion.getAssertionID();
    }
}
Also used : NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier) EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) DiscoveryException(com.sun.identity.liberty.ws.disco.DiscoveryException) X509Certificate(java.security.cert.X509Certificate) ProviderHeader(com.sun.identity.liberty.ws.soapbinding.ProviderHeader) ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager) NameIdentifierMapper(com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)

Example 3 with EncryptedResourceID

use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.

the class LibSecurityTokenProvider method createResourceAccessStatement.

/**
     * Creates <code>ResourceAccessStatement</code> object.
     */
private ResourceAccessStatement createResourceAccessStatement(NameIdentifier senderIdentity, SessionContext invocatorSession, Object resourceID, boolean isBear) throws SecurityTokenException {
    if (debug.messageEnabled()) {
        debug.message("LibSecurityTokenProvider." + "createResourceAccessStatement: resourceID class = " + resourceID.getClass() + ", value = " + resourceID);
    }
    ResourceAccessStatement ras = null;
    try {
        ProxySubject proxySubject = null;
        Subject subject = null;
        List subjects = createSubjectAndProxySubject(senderIdentity, invocatorSession, isBear);
        subject = (Subject) subjects.get(0);
        if (subjects.size() == 2) {
            proxySubject = (ProxySubject) subjects.get(1);
        }
        if (resourceID instanceof String) {
            ras = new ResourceAccessStatement((String) resourceID, proxySubject, invocatorSession, subject);
        } else {
            ras = new ResourceAccessStatement((EncryptedResourceID) resourceID, proxySubject, invocatorSession, subject);
        }
        if (debug.messageEnabled()) {
            debug.message("LibSecurityTokenProvider." + "createResourceAccessStatement: ras = " + ras);
        }
    } catch (Exception e) {
        debug.error("createResourceAccessStatement: ", e);
        throw new SecurityTokenException(e.getMessage());
    }
    return ras;
}
Also used : ArrayList(java.util.ArrayList) List(java.util.List) EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) Subject(com.sun.identity.saml.assertion.Subject) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException)

Example 4 with EncryptedResourceID

use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.

the class DiscoUtils method doEncryption.

private static ResourceOffering doEncryption(ResourceOffering current) {
    ResourceID ri = current.getResourceID();
    if (ri == null) {
        return current;
    }
    try {
        EncryptedResourceID eri = EncryptedResourceID.getEncryptedResourceID(ri, current.getServiceInstance().getProviderID());
        current.setResourceID(null);
        current.setEncryptedResourceID(eri);
    } catch (Exception e) {
        debug.error("DiscoUtils.doEncryption: exception:", e);
    }
    return current;
}
Also used : EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) ResourceID(com.sun.identity.liberty.ws.disco.ResourceID) EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) DiscoveryException(com.sun.identity.liberty.ws.disco.DiscoveryException)

Aggregations

EncryptedResourceID (com.sun.identity.liberty.ws.disco.EncryptedResourceID)4 DiscoveryException (com.sun.identity.liberty.ws.disco.DiscoveryException)2 ResourceID (com.sun.identity.liberty.ws.disco.ResourceID)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 EncryptedNameIdentifier (com.sun.identity.federation.message.common.EncryptedNameIdentifier)1 IDPProvidedNameIdentifier (com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)1 Description (com.sun.identity.liberty.ws.disco.Description)1 ServiceInstance (com.sun.identity.liberty.ws.disco.ServiceInstance)1 NameIdentifierMapper (com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper)1 ProviderHeader (com.sun.identity.liberty.ws.soapbinding.ProviderHeader)1 ProviderManager (com.sun.identity.liberty.ws.util.ProviderManager)1 SessionException (com.sun.identity.plugin.session.SessionException)1 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)1 Subject (com.sun.identity.saml.assertion.Subject)1 SAMLException (com.sun.identity.saml.common.SAMLException)1 X509Certificate (java.security.cert.X509Certificate)1 Iterator (java.util.Iterator)1