use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.
the class DSTClient method parseResourceOffering.
/**
* Parses the given discovery resource offering for the Data service.
* @param offering ResourceOffering
* @exception DSTException.
*/
private void parseResourceOffering(ResourceOffering offering) throws DSTException {
//Try for the encrypted resource offering first;
encryptedResourceID = offering.getEncryptedResourceID();
if (encryptedResourceID != null) {
isEncryptedResourceID = true;
} else {
ResourceID resID = offering.getResourceID();
if (resID == null) {
DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "No ResourceID");
throw new DSTException(DSTUtils.bundle.getString("noResourceID"));
}
resourceID = resID.getResourceID();
}
ServiceInstance serviceInstance = offering.getServiceInstance();
// providerID = serviceInstance.getProviderID();
if (serviceInstance == null) {
DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "No service instance.");
throw new DSTException(DSTUtils.bundle.getString("noServiceInstance"));
}
serviceType = serviceInstance.getServiceType();
if (serviceType == null) {
DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "service type is null.");
throw new DSTException(DSTUtils.bundle.getString("noServiceType"));
}
List descriptions = serviceInstance.getDescription();
if (descriptions == null || descriptions.isEmpty()) {
DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "descriptions are null.");
throw new DSTException(DSTUtils.bundle.getString("noDescriptions"));
}
// A service instance can have mutiple descriptions. In this case,
// we will try to use a valid description.
Iterator iter = descriptions.iterator();
while (iter.hasNext()) {
Description description = (Description) iter.next();
soapAction = description.getSoapAction();
soapURI = description.getEndpoint();
if (soapURI == null || soapURI.length() == 0) {
continue;
}
List secMechIDs = description.getSecurityMechID();
if (secMechIDs == null || secMechIDs.isEmpty()) {
continue;
}
boolean foundProfile = false;
int size = secMechIDs.size();
for (int i = 0; i < size; i++) {
String secProfile = (String) secMechIDs.get(i);
secProfile = secProfile.trim();
if (secProfile.equals(Message.NULL_NULL) || secProfile.equals(Message.TLS_NULL) || secProfile.equals(Message.CLIENT_TLS_NULL)) {
securityProfile = Message.ANONYMOUS;
if (secProfile.equals(Message.CLIENT_TLS_NULL)) {
clientAuthEnabled = true;
}
foundProfile = true;
break;
} else if (secProfile.equals(Message.NULL_X509) || secProfile.equals(Message.TLS_X509) || secProfile.equals(Message.CLIENT_TLS_X509) || secProfile.equals(Message.NULL_X509_WSF11) || secProfile.equals(Message.TLS_X509_WSF11) || secProfile.equals(Message.CLIENT_TLS_X509_WSF11)) {
securityProfile = Message.X509_TOKEN;
if (secProfile.equals(Message.NULL_X509) || secProfile.equals(Message.TLS_X509) || secProfile.equals(Message.CLIENT_TLS_X509)) {
wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
} else {
wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
}
securityProfile = Message.X509_TOKEN;
if (secProfile.equals(Message.CLIENT_TLS_X509) || secProfile.equals(Message.CLIENT_TLS_X509_WSF11)) {
clientAuthEnabled = true;
}
foundProfile = true;
break;
} else if (secProfile.equals(Message.NULL_SAML) || secProfile.equals(Message.TLS_SAML) || secProfile.equals(Message.CLIENT_TLS_SAML) || secProfile.equals(Message.NULL_SAML_WSF11) || secProfile.equals(Message.TLS_SAML_WSF11) || secProfile.equals(Message.CLIENT_TLS_SAML_WSF11)) {
securityProfile = Message.SAML_TOKEN;
if (secProfile.equals(Message.NULL_SAML) || secProfile.equals(Message.TLS_SAML) || secProfile.equals(Message.CLIENT_TLS_SAML)) {
wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
} else {
wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
}
if (secProfile.equals(Message.CLIENT_TLS_SAML) || secProfile.equals(Message.CLIENT_TLS_SAML_WSF11)) {
clientAuthEnabled = true;
}
foundProfile = true;
break;
} else if (secProfile.equals(Message.NULL_BEARER) || secProfile.equals(Message.TLS_BEARER) || secProfile.equals(Message.CLIENT_TLS_BEARER) || secProfile.equals(Message.NULL_BEARER_WSF11) || secProfile.equals(Message.TLS_BEARER_WSF11) || secProfile.equals(Message.CLIENT_TLS_BEARER_WSF11)) {
securityProfile = Message.BEARER_TOKEN;
if (secProfile.equals(Message.NULL_BEARER) || secProfile.equals(Message.TLS_BEARER) || secProfile.equals(Message.CLIENT_TLS_BEARER)) {
wsfVersion = SOAPBindingConstants.WSF_10_VERSION;
} else {
wsfVersion = SOAPBindingConstants.WSF_11_VERSION;
}
if (secProfile.equals(Message.CLIENT_TLS_BEARER) || secProfile.equals(Message.CLIENT_TLS_BEARER_WSF11)) {
clientAuthEnabled = true;
}
foundProfile = true;
break;
}
}
if (foundProfile) {
break;
}
}
if (soapURI == null) {
DSTUtils.debug.error("DSTClient:parseResourceOffering: " + "SOAP Endpoint or security profile is null");
throw new DSTException(DSTUtils.bundle.getString("invalidResourceOffering"));
}
if (DSTUtils.debug.messageEnabled()) {
DSTUtils.debug.message("DSTClient.parseResourceOffering:" + "soapURI = " + soapURI + "soapAction = " + soapAction + "securityProfile = " + securityProfile);
}
}
use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.
the class DiscoUtils method generateCredential.
private static String generateCredential(BitSet dirs, ResourceOffering current, Message message, String userDN, List credentials, SessionContext invoSession, String wscID, Object token) {
SecurityAssertion assertion = null;
try {
SecurityTokenManager secuMgr = new SecurityTokenManager(token);
NameIdentifier senderIdentity = null;
String providerID = wscID;
if ((providerID == null) || (providerID.length() == 0)) {
ProviderHeader ph = message.getProviderHeader();
if (ph != null) {
providerID = ph.getProviderID();
}
}
SessionContext invocatorSession = invoSession;
if (invocatorSession == null) {
invocatorSession = getSessionContext(message.getAssertion());
}
String tproviderID = current.getServiceInstance().getProviderID();
if (invocatorSession != null) {
try {
ProviderManager pm = ProviderUtil.getProviderManager();
SessionSubject sub = invocatorSession.getSessionSubject();
NameIdentifier ni = sub.getNameIdentifier();
if ((ni.getFormat() != null) && (ni.getFormat().equals("urn:liberty:iff:nameid:encrypted"))) {
ni = EncryptedNameIdentifier.getDecryptedNameIdentifier(ni, pm.getDecryptionKey(DiscoServiceManager.getDiscoProviderID()));
}
NameIdentifier newNi = null;
NameIdentifierMapper niMapper = DiscoServiceManager.getNameIdentifierMapper();
if (niMapper != null) {
String discoEntityID = DiscoServiceManager.getDiscoProviderID();
newNi = niMapper.getNameIdentifier(tproviderID, discoEntityID, ni, userDN);
}
if ((newNi != null) && !newNi.equals(ni)) {
sub.setNameIdentifier(newNi);
// modify IDPProvidedNameIdentifier, this should be
// a EncryptedIDPProvidedNameIdentifier, but not
// defined by specification.
// Or set this to null once we make it optional
// in SessionSubject class implementation
IDPProvidedNameIdentifier idpNi = sub.getIDPProvidedNameIdentifier();
if (idpNi != null) {
IDPProvidedNameIdentifier newIdpNi = new IDPProvidedNameIdentifier(newNi.getName(), newNi.getNameQualifier(), newNi.getFormat());
sub.setIDPProvidedNameIdentifier(newIdpNi);
}
} else if (pm.isNameIDEncryptionEnabled(tproviderID)) {
sub.setNameIdentifier(EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, tproviderID, pm.getEncryptionKey(tproviderID), pm.getEncryptionKeyAlgorithm(tproviderID), pm.getEncryptionKeyStrength(tproviderID)));
} else {
sub.setNameIdentifier(ni);
}
invocatorSession.setSessionSubject(sub);
} catch (Exception ex) {
debug.error("DiscoUtils.handleDirective: En/Decryption" + " Exception:", ex);
return null;
}
}
Object resourceID = current.getEncryptedResourceID();
if (resourceID == null) {
resourceID = current.getResourceID();
if (resourceID == null) {
resourceID = (String) DiscoConstants.IMPLIED_RESOURCE;
} else {
resourceID = ((ResourceID) resourceID).getResourceID();
}
}
if (dirs.get(BEARER)) {
if (dirs.get(AUTHN) || dirs.get(AUTHO) || dirs.get(SESSION)) {
if ((providerID != null) && (providerID.length() != 0)) {
senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
} else {
senderIdentity = new NameIdentifier(userDN);
}
if (resourceID instanceof String) {
assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
} else {
assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
}
}
} else {
if ((providerID != null) && (providerID.length() != 0)) {
senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
} else {
senderIdentity = new NameIdentifier(userDN);
}
if (providerID != null) {
secuMgr.setCertAlias(ProviderUtil.getProviderManager().getSigningKeyAlias(providerID));
} else {
X509Certificate wscCert = message.getPeerCertificate();
if (wscCert == null) {
wscCert = message.getMessageCertificate();
if (wscCert == null) {
if (debug.messageEnabled()) {
debug.message("DiscoUtils.generateCredential:" + "client cert is null. Cannot generate " + "credential.");
}
return null;
}
}
secuMgr.setCertificate(wscCert);
}
if (resourceID instanceof String) {
assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
} else {
assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
}
}
} catch (Exception ex) {
debug.error("DiscoUtils.generateCredential:" + "cannot generate credential: ", ex);
}
if (assertion == null) {
debug.error("DiscoUtils.generateCredential: " + "cannot generate credential.");
return null;
} else {
credentials.add(assertion);
return assertion.getAssertionID();
}
}
use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.
the class LibSecurityTokenProvider method createResourceAccessStatement.
/**
* Creates <code>ResourceAccessStatement</code> object.
*/
private ResourceAccessStatement createResourceAccessStatement(NameIdentifier senderIdentity, SessionContext invocatorSession, Object resourceID, boolean isBear) throws SecurityTokenException {
if (debug.messageEnabled()) {
debug.message("LibSecurityTokenProvider." + "createResourceAccessStatement: resourceID class = " + resourceID.getClass() + ", value = " + resourceID);
}
ResourceAccessStatement ras = null;
try {
ProxySubject proxySubject = null;
Subject subject = null;
List subjects = createSubjectAndProxySubject(senderIdentity, invocatorSession, isBear);
subject = (Subject) subjects.get(0);
if (subjects.size() == 2) {
proxySubject = (ProxySubject) subjects.get(1);
}
if (resourceID instanceof String) {
ras = new ResourceAccessStatement((String) resourceID, proxySubject, invocatorSession, subject);
} else {
ras = new ResourceAccessStatement((EncryptedResourceID) resourceID, proxySubject, invocatorSession, subject);
}
if (debug.messageEnabled()) {
debug.message("LibSecurityTokenProvider." + "createResourceAccessStatement: ras = " + ras);
}
} catch (Exception e) {
debug.error("createResourceAccessStatement: ", e);
throw new SecurityTokenException(e.getMessage());
}
return ras;
}
use of com.sun.identity.liberty.ws.disco.EncryptedResourceID in project OpenAM by OpenRock.
the class DiscoUtils method doEncryption.
private static ResourceOffering doEncryption(ResourceOffering current) {
ResourceID ri = current.getResourceID();
if (ri == null) {
return current;
}
try {
EncryptedResourceID eri = EncryptedResourceID.getEncryptedResourceID(ri, current.getServiceInstance().getProviderID());
current.setResourceID(null);
current.setEncryptedResourceID(eri);
} catch (Exception e) {
debug.error("DiscoUtils.doEncryption: exception:", e);
}
return current;
}
Aggregations