Examples with SecurityContext org.apache.cxf.security.SecurityContext used on opensource projects

Search in sources :

Example 56 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class DirectAuthorizationService method authorize.

@POST
@Consumes("application/x-www-form-urlencoded")
@Produces("text/html")
public Response authorize(MultivaluedMap<String, String> params) {
    SecurityContext sc = getAndValidateSecurityContext(params);
    Client client = getClient(params);
    // Create a UserSubject representing the end user
    UserSubject userSubject = createUserSubject(sc, params);
    AccessTokenRegistration reg = new AccessTokenRegistration();
    reg.setClient(client);
    reg.setGrantType(OAuthConstants.DIRECT_TOKEN_GRANT);
    reg.setSubject(userSubject);
    String providedScope = params.getFirst(OAuthConstants.SCOPE);
    List<String> requestedScope = OAuthUtils.getRequestedScopes(client, providedScope, useAllClientScopes, partialMatchScopeValidation);
    reg.setRequestedScope(requestedScope);
    reg.setApprovedScope(requestedScope);
    ServerAccessToken token = getDataProvider().createAccessToken(reg);
    ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters());
    return Response.ok(clientToken).build();
}
Also used : ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) SecurityContext(org.apache.cxf.security.SecurityContext) Client(org.apache.cxf.rs.security.oauth2.common.Client) AccessTokenRegistration(org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 57 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class JwtBearerAuthHandler method filter.

@Override
public void filter(ContainerRequestContext context) {
    Message message = JAXRSUtils.getCurrentMessage();
    Form form = readFormData(message);
    MultivaluedMap<String, String> formData = form.asMap();
    String assertionType = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_TYPE);
    String decodedAssertionType = assertionType != null ? HttpUtils.urlDecode(assertionType) : null;
    if (decodedAssertionType == null || !Constants.CLIENT_AUTH_JWT_BEARER.equals(decodedAssertionType)) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }
    String assertion = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_PARAM);
    if (assertion == null) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }
    String clientId = formData.getFirst(OAuthConstants.CLIENT_ID);
    Client client = null;
    if (clientId != null && clientProvider != null) {
        client = clientProvider.getClient(clientId);
        if (client == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        message.put(Client.class, client);
    }
    JwtToken token = super.getJwtToken(assertion, client);
    String subjectName = (String) token.getClaim(JwtConstants.CLAIM_SUBJECT);
    if (clientId != null && !clientId.equals(subjectName)) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }
    message.put(OAuthConstants.CLIENT_ID, subjectName);
    formData.remove(OAuthConstants.CLIENT_ID);
    formData.remove(Constants.CLIENT_AUTH_ASSERTION_PARAM);
    formData.remove(Constants.CLIENT_AUTH_ASSERTION_TYPE);
    SecurityContext securityContext = configureSecurityContext(token);
    if (securityContext != null) {
        JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
    }
    // restore input stream
    try {
        FormUtils.restoreForm(provider, form, message);
    } catch (Exception ex) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) Message(org.apache.cxf.message.Message) Form(javax.ws.rs.core.Form) SecurityContext(org.apache.cxf.security.SecurityContext) JwtTokenSecurityContext(org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext) Client(org.apache.cxf.rs.security.oauth2.common.Client) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)

Example 58 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class ClaimsAuthorizingInterceptor method handleMessage.

public void handleMessage(Message message) throws Fault {
    SecurityContext sc = message.get(SecurityContext.class);
    if (!(sc instanceof ClaimsSecurityContext)) {
        throw new AccessDeniedException("Security Context is unavailable or unrecognized");
    }
    Method method = MessageUtils.getTargetMethod(message).orElseThrow(() -> new AccessDeniedException("Method is not available : Unauthorized"));
    if (authorize((ClaimsSecurityContext) sc, method)) {
        return;
    }
    throw new AccessDeniedException("Unauthorized");
}
Also used : AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) ClaimsSecurityContext(org.apache.cxf.rt.security.claims.ClaimsSecurityContext) SecurityContext(org.apache.cxf.security.SecurityContext) Method(java.lang.reflect.Method) ClaimsSecurityContext(org.apache.cxf.rt.security.claims.ClaimsSecurityContext)

Example 59 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class WSS4JBasicAuthValidator method validate.

protected void validate(Message message) throws WSSecurityException {
    AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
    if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
        String name = null;
        if (policy != null) {
            name = policy.getUserName();
        }
        String errorMsg = "No user name and/or password is available, name: " + name;
        LOG.warning(errorMsg);
        throw new SecurityException(errorMsg);
    }
    UsernameToken token = convertPolicyToToken(policy);
    Credential credential = new Credential();
    credential.setUsernametoken(token);
    RequestData data = new RequestData();
    data.setMsgContext(message);
    data.setCallbackHandler(callbackHandler);
    credential = getValidator().validate(credential, data);
    // Create a Principal/SecurityContext
    final SecurityContext sc;
    if (credential != null && credential.getPrincipal() != null) {
        sc = createSecurityContext(message, credential);
    } else {
        Principal p = new WSUsernameTokenPrincipalImpl(policy.getUserName(), false);
        ((WSUsernameTokenPrincipalImpl) p).setPassword(policy.getPassword());
        sc = createSecurityContext(p);
    }
    message.put(SecurityContext.class, sc);
}
Also used : AuthorizationPolicy(org.apache.cxf.configuration.security.AuthorizationPolicy) Credential(org.apache.wss4j.dom.validate.Credential) RequestData(org.apache.wss4j.dom.handler.RequestData) UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken) SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext) SecurityContext(org.apache.cxf.security.SecurityContext) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Principal(java.security.Principal) WSUsernameTokenPrincipalImpl(org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl)

Example 60 with SecurityContext

use of org.apache.cxf.security.SecurityContext in project cxf by apache.

the class XACMLAuthorizingInterceptorTest method testDeny.

@org.junit.Test
public void testDeny() throws Exception {
    // Mock up a Security Context
    SecurityContext sc = createSecurityContext("alice", "boss");
    String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
    MessageImpl msg = new MessageImpl();
    msg.put(Message.WSDL_OPERATION, QName.valueOf(operation));
    String service = "{http://www.example.org/contract/DoubleIt}DoubleItService";
    msg.put(Message.WSDL_SERVICE, QName.valueOf(service));
    String resourceURI = "https://localhost:8080/doubleit";
    msg.put(Message.REQUEST_URI, resourceURI);
    msg.put(SecurityContext.class, sc);
    PolicyDecisionPoint pdp = new DummyPDP();
    XACMLAuthorizingInterceptor authorizingInterceptor = new XACMLAuthorizingInterceptor(pdp);
    try {
        authorizingInterceptor.handleMessage(msg);
        fail("Failure expected on deny");
    } catch (Exception ex) {
    // Failure expected
    }
}
Also used : SecurityContext(org.apache.cxf.security.SecurityContext) LoginSecurityContext(org.apache.cxf.security.LoginSecurityContext) MessageImpl(org.apache.cxf.message.MessageImpl)

Aggregations

SecurityContext (org.apache.cxf.security.SecurityContext)76 Principal (java.security.Principal)26 Message (org.apache.cxf.message.Message)16 Subject (javax.security.auth.Subject)13 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)12 DefaultSecurityContext (org.apache.cxf.interceptor.security.DefaultSecurityContext)11 SimplePrincipal (org.apache.cxf.common.security.SimplePrincipal)10 Test (org.junit.Test)10 SAMLSecurityContext (org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)9 WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)9 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)8 LoginSecurityContext (org.apache.cxf.security.LoginSecurityContext)7 ArrayList (java.util.ArrayList)6 QName (javax.xml.namespace.QName)6 SecurityToken (org.apache.cxf.common.security.SecurityToken)6 HashMap (java.util.HashMap)5 MessageImpl (org.apache.cxf.message.MessageImpl)5 UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)5 Element (org.w3c.dom.Element)5 Method (java.lang.reflect.Method)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial