Search in sources :

Example 1 with ProviderManager

use of com.sun.identity.liberty.ws.util.ProviderManager in project OpenAM by OpenRock.

the class DiscoUtils method generateCredential.

private static String generateCredential(BitSet dirs, ResourceOffering current, Message message, String userDN, List credentials, SessionContext invoSession, String wscID, Object token) {
    SecurityAssertion assertion = null;
    try {
        SecurityTokenManager secuMgr = new SecurityTokenManager(token);
        NameIdentifier senderIdentity = null;
        String providerID = wscID;
        if ((providerID == null) || (providerID.length() == 0)) {
            ProviderHeader ph = message.getProviderHeader();
            if (ph != null) {
                providerID = ph.getProviderID();
            }
        }
        SessionContext invocatorSession = invoSession;
        if (invocatorSession == null) {
            invocatorSession = getSessionContext(message.getAssertion());
        }
        String tproviderID = current.getServiceInstance().getProviderID();
        if (invocatorSession != null) {
            try {
                ProviderManager pm = ProviderUtil.getProviderManager();
                SessionSubject sub = invocatorSession.getSessionSubject();
                NameIdentifier ni = sub.getNameIdentifier();
                if ((ni.getFormat() != null) && (ni.getFormat().equals("urn:liberty:iff:nameid:encrypted"))) {
                    ni = EncryptedNameIdentifier.getDecryptedNameIdentifier(ni, pm.getDecryptionKey(DiscoServiceManager.getDiscoProviderID()));
                }
                NameIdentifier newNi = null;
                NameIdentifierMapper niMapper = DiscoServiceManager.getNameIdentifierMapper();
                if (niMapper != null) {
                    String discoEntityID = DiscoServiceManager.getDiscoProviderID();
                    newNi = niMapper.getNameIdentifier(tproviderID, discoEntityID, ni, userDN);
                }
                if ((newNi != null) && !newNi.equals(ni)) {
                    sub.setNameIdentifier(newNi);
                    // modify IDPProvidedNameIdentifier, this should be
                    // a EncryptedIDPProvidedNameIdentifier, but not 
                    // defined by specification.
                    // Or set this to null once we make it optional
                    // in SessionSubject class implementation 
                    IDPProvidedNameIdentifier idpNi = sub.getIDPProvidedNameIdentifier();
                    if (idpNi != null) {
                        IDPProvidedNameIdentifier newIdpNi = new IDPProvidedNameIdentifier(newNi.getName(), newNi.getNameQualifier(), newNi.getFormat());
                        sub.setIDPProvidedNameIdentifier(newIdpNi);
                    }
                } else if (pm.isNameIDEncryptionEnabled(tproviderID)) {
                    sub.setNameIdentifier(EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, tproviderID, pm.getEncryptionKey(tproviderID), pm.getEncryptionKeyAlgorithm(tproviderID), pm.getEncryptionKeyStrength(tproviderID)));
                } else {
                    sub.setNameIdentifier(ni);
                }
                invocatorSession.setSessionSubject(sub);
            } catch (Exception ex) {
                debug.error("DiscoUtils.handleDirective: En/Decryption" + " Exception:", ex);
                return null;
            }
        }
        Object resourceID = current.getEncryptedResourceID();
        if (resourceID == null) {
            resourceID = current.getResourceID();
            if (resourceID == null) {
                resourceID = (String) DiscoConstants.IMPLIED_RESOURCE;
            } else {
                resourceID = ((ResourceID) resourceID).getResourceID();
            }
        }
        if (dirs.get(BEARER)) {
            if (dirs.get(AUTHN) || dirs.get(AUTHO) || dirs.get(SESSION)) {
                if ((providerID != null) && (providerID.length() != 0)) {
                    senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
                } else {
                    senderIdentity = new NameIdentifier(userDN);
                }
                if (resourceID instanceof String) {
                    assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
                } else {
                    assertion = secuMgr.getSAMLBearerToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
                }
            }
        } else {
            if ((providerID != null) && (providerID.length() != 0)) {
                senderIdentity = new NameIdentifier(providerID, null, DiscoConstants.PROVIDER_ID_FORMAT);
            } else {
                senderIdentity = new NameIdentifier(userDN);
            }
            if (providerID != null) {
                secuMgr.setCertAlias(ProviderUtil.getProviderManager().getSigningKeyAlias(providerID));
            } else {
                X509Certificate wscCert = message.getPeerCertificate();
                if (wscCert == null) {
                    wscCert = message.getMessageCertificate();
                    if (wscCert == null) {
                        if (debug.messageEnabled()) {
                            debug.message("DiscoUtils.generateCredential:" + "client cert is null. Cannot generate " + "credential.");
                        }
                        return null;
                    }
                }
                secuMgr.setCertificate(wscCert);
            }
            if (resourceID instanceof String) {
                assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (String) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
            } else {
                assertion = secuMgr.getSAMLAuthorizationToken(senderIdentity, invocatorSession, (EncryptedResourceID) resourceID, dirs.get(AUTHN), dirs.get(AUTHO), tproviderID);
            }
        }
    } catch (Exception ex) {
        debug.error("DiscoUtils.generateCredential:" + "cannot generate credential: ", ex);
    }
    if (assertion == null) {
        debug.error("DiscoUtils.generateCredential: " + "cannot generate credential.");
        return null;
    } else {
        credentials.add(assertion);
        return assertion.getAssertionID();
    }
}
Also used : NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier) EncryptedResourceID(com.sun.identity.liberty.ws.disco.EncryptedResourceID) DiscoveryException(com.sun.identity.liberty.ws.disco.DiscoveryException) X509Certificate(java.security.cert.X509Certificate) ProviderHeader(com.sun.identity.liberty.ws.soapbinding.ProviderHeader) ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager) NameIdentifierMapper(com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)

Example 2 with ProviderManager

use of com.sun.identity.liberty.ws.util.ProviderManager in project OpenAM by OpenRock.

the class EncryptedResourceID method getEncryptedResourceID.

/**
     * Returns an <code>EncryptedResourceID</code> object. It takes a
     * resource ID and provider ID, encrypts the resource ID based on the
     * encryption key of the provider ID.
     *
     * @param ri The resource ID instance that needs to be encrypted.
     * @param providerID The provider ID whose encryption key needs to be used
     *        for encryption.
     * @throws DiscoveryException if error occurs during this operation.
     */
public static EncryptedResourceID getEncryptedResourceID(ResourceID ri, String providerID) throws DiscoveryException {
    if ((ri == null) || (providerID == null)) {
        DiscoUtils.debug.error("EncryptedResourceID.getEncryptedResource" + "ID: null input value");
        throw new DiscoveryException(DiscoUtils.bundle.getString("nullInput"));
    }
    EncryptedResourceID eri = null;
    try {
        ProviderManager pm = ProviderUtil.getProviderManager();
        Document doc = XMLUtils.toDOMDocument(ri.toString(), DiscoUtils.debug);
        XMLEncryptionManager manager = XMLEncryptionManager.getInstance();
        Document encDoc = manager.encryptAndReplaceResourceID(doc, doc.getDocumentElement(), pm.getEncryptionKeyAlgorithm(providerID), pm.getEncryptionKeyStrength(providerID), pm.getEncryptionKey(providerID), 0, providerID);
        eri = new EncryptedResourceID(encDoc.getDocumentElement());
    } catch (Exception e) {
        DiscoUtils.debug.error("EncryptedResourceID.getEncryptedResource" + "ID: encryption exception:", e);
        throw new DiscoveryException(e);
    }
    return eri;
}
Also used : ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager)

Example 3 with ProviderManager

use of com.sun.identity.liberty.ws.util.ProviderManager in project OpenAM by OpenRock.

the class Utils method checkProviderHeader.

/**
     * Enforces message Provider header processing rules defined
     * in the spec.
     *
     * @param provH a Correlation header
     * @param messageID the messageID in Correlation header
     * @param isServer true if this is a server
     * @throws SOAPBindingException if the Provider header violates rules
     *                                 on client side
     * @throws SOAPFaultException if the Provider header violates rules
     *                               on server side
     */
static void checkProviderHeader(ProviderHeader provH, String messageID, boolean isServer) throws SOAPBindingException, SOAPFaultException {
    if (provH == null) {
        return;
    }
    try {
        checkActorAndMustUnderstand(provH.getActor(), provH.getMustUnderstand(), messageID, isServer);
    } catch (SOAPFaultException sfe) {
        sfe.getSOAPFaultMessage().getSOAPFault().getDetail().setProviderHeader(provH);
        throw sfe;
    }
    if (isServer && SOAPBindingService.enforceOnlyKnownProviders()) {
        String providerID = provH.getProviderID();
        ProviderManager providerManager = ProviderUtil.getProviderManager();
        if (!providerManager.containsProvider(providerID)) {
            SOAPFaultDetail sfd = new SOAPFaultDetail(SOAPFaultDetail.PROVIDER_ID_NOT_VALID, messageID, null);
            sfd.setProviderHeader(provH);
            SOAPFault sf = new SOAPFault(FAULT_CODE_SERVER, faultStringServerError, null, sfd);
            throw new SOAPFaultException(new Message(sf));
        }
        String affID = provH.getAffiliationID();
        if ((affID != null) && (!providerManager.isAffiliationMember(providerID, affID))) {
            SOAPFaultDetail sfd = new SOAPFaultDetail(SOAPFaultDetail.AFFILIATION_ID_NOT_VALID, messageID, null);
            sfd.setProviderHeader(provH);
            SOAPFault sf = new SOAPFault(FAULT_CODE_SERVER, faultStringServerError, null, sfd);
            throw new SOAPFaultException(new Message(sf));
        }
    }
}
Also used : SOAPMessage(javax.xml.soap.SOAPMessage) ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager)

Example 4 with ProviderManager

use of com.sun.identity.liberty.ws.util.ProviderManager in project OpenAM by OpenRock.

the class IDFFNameIdentifierMapper method getNameIdentifier.

/**
     * Returns mapped <code>NameIdentifier</code> for specified user.   
     * This is used by Discovery Service to generate correct 
     * <code>NameIdentifier</code> when creating credentials for remote
     * service provider. A <code>NameIdentifier</code> in encrypted format
     * will be returned if the mapped <code>NameIdentifier</code> is
     * different from the original <code>NameIdentifier</code>, this
     * is to prevent the <code>NameIdentifier</code> to be revealed
     * to a proxy service provider. 
     * @param spProviderID Provider ID of the service provider to which
     *     the <code>NameIdentifier</code> needs to be mapped. 
     * @param idpProviderID Provider ID of the identifier provider.
     * @param nameId The <code>NameIdentifier</code> needs to be mapped. 
     * @param userID The user whose mapped <code>NameIdentifier</code> will 
     *     be returned. The value is the universal identifier of the user.
     * @return the mapped <code>NameIdentifier</code> for specified user, 
     *     return null if unable to map the <code>NameIdentifier</code>,
     *     return original name identifier if no need to mapp the
     *     <code>NameIdentifier</code>.
     */
public NameIdentifier getNameIdentifier(String spProviderID, String idpProviderID, NameIdentifier nameId, String userID) {
    try {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("IDFFNameIdentifierMapper, enter " + "spProviderID=" + spProviderID + ", idpProviderID=" + idpProviderID + ", userID=" + userID);
            if (nameId != null) {
                FSUtils.debug.message("IDFFNameIdentifierMapper, enter " + "name identifier=" + nameId.toString());
            }
        }
        if ((spProviderID == null) || (idpProviderID == null) || (userID == null)) {
            return null;
        }
        if (spProviderID.equals(idpProviderID)) {
            // same entity, this is for the case of discovery service as IDP
            return nameId;
        }
        if (nameId != null) {
            String nameQualifier = nameId.getNameQualifier();
            if ((nameQualifier != null) && nameQualifier.equals(spProviderID)) {
                // current name id is intended for the spProviderID 
                return nameId;
            }
        }
        IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
        String metaAlias = metaManager.getIDPDescriptorConfig("/", idpProviderID).getMetaAlias();
        FSAccountManager fsaccountmgr = FSAccountManager.getInstance(metaAlias);
        FSAccountFedInfo accountinfo = fsaccountmgr.readAccountFedInfo(userID, spProviderID);
        if (accountinfo != null) {
            NameIdentifier ni = accountinfo.getLocalNameIdentifier();
            FSUtils.debug.message("IDFFNameIdentifierMapper : new Ni");
            ProviderManager pm = ProviderUtil.getProviderManager();
            if (pm != null) {
                Key encKey = pm.getEncryptionKey(spProviderID);
                if (encKey != null) {
                    // passed down through a proxy WSC
                    return EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, spProviderID, encKey, pm.getEncryptionKeyAlgorithm(spProviderID), pm.getEncryptionKeyStrength(spProviderID));
                } else {
                    return ni;
                }
            } else {
                return ni;
            }
        } else {
            return nameId;
        }
    } catch (FSAccountMgmtException e) {
        // the federation info might not be there, just ignore
        FSUtils.debug.message("IDFFNameIdentifierMapper, account error", e);
    } catch (FSException e) {
        // the federation info might not be there, just ignore
        FSUtils.debug.message("IDFFNameIdentifierMapper, encrypt error", e);
    } catch (IDFFMetaException e) {
        // the provider might not be a IDFF provider, just ignore
        FSUtils.debug.message("IDFFNameIdentifierMapper, meta error", e);
    }
    return null;
}
Also used : FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager) FSException(com.sun.identity.federation.common.FSException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager) Key(java.security.Key)

Aggregations

ProviderManager (com.sun.identity.liberty.ws.util.ProviderManager)4 EncryptedNameIdentifier (com.sun.identity.federation.message.common.EncryptedNameIdentifier)2 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)2 FSAccountFedInfo (com.sun.identity.federation.accountmgmt.FSAccountFedInfo)1 FSAccountManager (com.sun.identity.federation.accountmgmt.FSAccountManager)1 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)1 FSException (com.sun.identity.federation.common.FSException)1 IDPProvidedNameIdentifier (com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)1 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)1 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)1 DiscoveryException (com.sun.identity.liberty.ws.disco.DiscoveryException)1 EncryptedResourceID (com.sun.identity.liberty.ws.disco.EncryptedResourceID)1 NameIdentifierMapper (com.sun.identity.liberty.ws.disco.plugins.NameIdentifierMapper)1 ProviderHeader (com.sun.identity.liberty.ws.soapbinding.ProviderHeader)1 Key (java.security.Key)1 X509Certificate (java.security.cert.X509Certificate)1 SOAPMessage (javax.xml.soap.SOAPMessage)1