Search in sources :

Example 1 with RealmParser

use of org.apache.cxf.sts.RealmParser in project cxf by apache.

the class TokenRenewOperation method renew.

public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        renewerParameters.setStsProperties(stsProperties);
        renewerParameters.setPrincipal(principal);
        renewerParameters.setMessageContext(messageContext);
        renewerParameters.setTokenStore(getTokenStore());
        renewerParameters.setKeyRequirements(keyRequirements);
        renewerParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
        if (renewTarget == null || renewTarget.getToken() == null) {
            throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
        }
        renewerParameters.setToken(renewTarget);
        if (tokenRequirements.getTokenType() == null) {
            LOG.fine("Received TokenType is null");
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        renewerParameters.setRealm(realm);
        // Validate the request
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            renewTarget.setState(STATE.INVALID);
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // Reject an invalid token
        if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
            LOG.fine("The token is not valid or expired, and so it cannot be renewed");
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // 
        // Renew the token
        // 
        TokenRenewerResponse tokenRenewerResponse = null;
        renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
        Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
        if (additionalProperties != null) {
            renewerParameters.setAdditionalProperties(additionalProperties);
        }
        renewerParameters.setRealm(tokenResponse.getTokenRealm());
        renewerParameters.setToken(tokenResponse.getToken());
        realm = tokenResponse.getTokenRealm();
        for (TokenRenewer tokenRenewer : tokenRenewers) {
            final boolean canHandle;
            if (realm == null) {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
            } else {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
            }
            if (canHandle) {
                try {
                    tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
                } catch (STSException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw ex;
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
            LOG.fine("No Token Renewer has been found that can handle this token");
            throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
        }
        // prepare response
        try {
            EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
            RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
            STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            cleanRequest(requestRequirements);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : STSRenewSuccessEvent(org.apache.cxf.sts.event.STSRenewSuccessEvent) TokenRenewerResponse(org.apache.cxf.sts.token.renewer.TokenRenewerResponse) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RealmParser(org.apache.cxf.sts.RealmParser) STSRenewFailureEvent(org.apache.cxf.sts.event.STSRenewFailureEvent) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenRenewerParameters(org.apache.cxf.sts.token.renewer.TokenRenewerParameters) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenRenewer(org.apache.cxf.sts.token.renewer.TokenRenewer)

Example 2 with RealmParser

use of org.apache.cxf.sts.RealmParser in project cxf by apache.

the class TokenValidateOperation method validate.

public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        validatorParameters.setStsProperties(stsProperties);
        validatorParameters.setPrincipal(principal);
        validatorParameters.setMessageContext(messageContext);
        validatorParameters.setTokenStore(getTokenStore());
        // validatorParameters.setKeyRequirements(keyRequirements);
        validatorParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
        if (validateTarget == null || validateTarget.getToken() == null) {
            throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
        }
        validatorParameters.setToken(validateTarget);
        if (tokenRequirements.getTokenType() == null) {
            tokenRequirements.setTokenType(STSConstants.STATUS);
            LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        validatorParameters.setRealm(realm);
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            tokenResponse = new TokenValidatorResponse();
            validateTarget.setState(STATE.INVALID);
            tokenResponse.setToken(validateTarget);
        }
        // 
        // Create a new token (if requested)
        // 
        TokenProviderResponse tokenProviderResponse = null;
        String tokenType = tokenRequirements.getTokenType();
        if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
            TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
            processValidToken(providerParameters, validateTarget, tokenResponse);
            // Check if the requested claims can be handled by the configured claim handlers
            providerParameters.setClaimsManager(claimsManager);
            Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
            if (additionalProperties != null) {
                providerParameters.setAdditionalProperties(additionalProperties);
            }
            realm = providerParameters.getRealm();
            for (TokenProvider tokenProvider : tokenProviders) {
                final boolean canHandle;
                if (realm == null) {
                    canHandle = tokenProvider.canHandleToken(tokenType);
                } else {
                    canHandle = tokenProvider.canHandleToken(tokenType, realm);
                }
                if (canHandle) {
                    try {
                        tokenProviderResponse = tokenProvider.createToken(providerParameters);
                    } catch (STSException ex) {
                        LOG.log(Level.WARNING, "", ex);
                        throw ex;
                    } catch (RuntimeException ex) {
                        LOG.log(Level.WARNING, "", ex);
                        throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                    }
                    break;
                }
            }
            if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
                LOG.fine("No Token Provider has been found that can handle this token");
                throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
            }
        }
        // prepare response
        try {
            RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
            STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            cleanRequest(requestRequirements);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) RealmParser(org.apache.cxf.sts.RealmParser) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) STSValidateSuccessEvent(org.apache.cxf.sts.event.STSValidateSuccessEvent) STSValidateFailureEvent(org.apache.cxf.sts.event.STSValidateFailureEvent)

Example 3 with RealmParser

use of org.apache.cxf.sts.RealmParser in project cxf by apache.

the class AbstractOperation method createTokenProviderParameters.

/**
 * Create a TokenProviderParameters object
 */
protected TokenProviderParameters createTokenProviderParameters(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext) {
    TokenProviderParameters providerParameters = new TokenProviderParameters();
    providerParameters.setStsProperties(stsProperties);
    providerParameters.setPrincipal(principal);
    providerParameters.setMessageContext(messageContext);
    providerParameters.setTokenStore(getTokenStore());
    providerParameters.setEncryptToken(encryptIssuedToken);
    KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
    TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
    providerParameters.setKeyRequirements(keyRequirements);
    providerParameters.setTokenRequirements(tokenRequirements);
    // Extract AppliesTo
    String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("The AppliesTo address that has been received is: " + address);
    }
    providerParameters.setAppliesToAddress(address);
    // Get the realm of the request
    if (stsProperties.getRealmParser() != null) {
        RealmParser realmParser = stsProperties.getRealmParser();
        String realm = realmParser.parseRealm(messageContext);
        providerParameters.setRealm(realm);
    }
    // Set the requested Claims
    ClaimCollection claims = tokenRequirements.getPrimaryClaims();
    providerParameters.setRequestedPrimaryClaims(claims);
    claims = tokenRequirements.getSecondaryClaims();
    providerParameters.setRequestedSecondaryClaims(claims);
    EncryptionProperties encryptionProperties = stsProperties.getEncryptionProperties();
    if (address != null) {
        boolean foundService = false;
        // Get the stored Service object corresponding to the Service endpoint
        if (services != null) {
            for (ServiceMBean service : services) {
                if (service.isAddressInEndpoints(address)) {
                    EncryptionProperties svcEncryptionProperties = service.getEncryptionProperties();
                    if (svcEncryptionProperties != null) {
                        encryptionProperties = svcEncryptionProperties;
                    }
                    if (tokenRequirements.getTokenType() == null) {
                        String tokenType = service.getTokenType();
                        tokenRequirements.setTokenType(tokenType);
                        LOG.fine("Using default token type of: " + tokenType);
                    }
                    if (keyRequirements.getKeyType() == null) {
                        String keyType = service.getKeyType();
                        keyRequirements.setKeyType(keyType);
                        LOG.fine("Using default key type of: " + keyType);
                    }
                    foundService = true;
                    break;
                }
            }
        }
        if (!foundService) {
            String msg = "No service corresponding to " + address + " is known. Check 'services' property configuration in SecurityTokenServiceProvider";
            LOG.log(Level.SEVERE, msg);
            throw new STSException(msg, STSException.REQUEST_FAILED);
        }
    }
    providerParameters.setEncryptionProperties(encryptionProperties);
    return providerParameters;
}
Also used : RealmParser(org.apache.cxf.sts.RealmParser) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Aggregations

RealmParser (org.apache.cxf.sts.RealmParser)3 TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)3 STSException (org.apache.cxf.ws.security.sts.provider.STSException)3 KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)2 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)2 RequestRequirements (org.apache.cxf.sts.request.RequestRequirements)2 EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)2 TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)2 TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)2 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)2 ClaimCollection (org.apache.cxf.rt.security.claims.ClaimCollection)1 STSRenewFailureEvent (org.apache.cxf.sts.event.STSRenewFailureEvent)1 STSRenewSuccessEvent (org.apache.cxf.sts.event.STSRenewSuccessEvent)1 STSValidateFailureEvent (org.apache.cxf.sts.event.STSValidateFailureEvent)1 STSValidateSuccessEvent (org.apache.cxf.sts.event.STSValidateSuccessEvent)1 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)1 TokenProvider (org.apache.cxf.sts.token.provider.TokenProvider)1 TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)1 TokenRenewer (org.apache.cxf.sts.token.renewer.TokenRenewer)1 TokenRenewerParameters (org.apache.cxf.sts.token.renewer.TokenRenewerParameters)1