Search in sources :

Example 36 with KeyRequirements

use of org.apache.cxf.sts.request.KeyRequirements in project cxf by apache.

the class TokenCancelOperation method cancel.

public RequestSecurityTokenResponseType cancel(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenCancellerParameters cancellerParameters = new TokenCancellerParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        cancellerParameters.setStsProperties(stsProperties);
        cancellerParameters.setPrincipal(principal);
        cancellerParameters.setMessageContext(messageContext);
        cancellerParameters.setTokenStore(getTokenStore());
        cancellerParameters.setKeyRequirements(keyRequirements);
        cancellerParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken cancelTarget = tokenRequirements.getCancelTarget();
        if (cancelTarget == null || cancelTarget.getToken() == null) {
            throw new STSException("No element presented for cancellation", STSException.INVALID_REQUEST);
        }
        cancellerParameters.setToken(cancelTarget);
        if (tokenRequirements.getTokenType() == null) {
            tokenRequirements.setTokenType(STSConstants.STATUS);
            LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
        }
        // 
        // Cancel token
        // 
        TokenCancellerResponse tokenResponse = null;
        for (TokenCanceller tokenCanceller : tokencancellers) {
            if (tokenCanceller.canHandleToken(cancelTarget)) {
                try {
                    tokenResponse = tokenCanceller.cancelToken(cancellerParameters);
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error while cancelling a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenResponse == null || tokenResponse.getToken() == null) {
            LOG.fine("No Token Canceller has been found that can handle this token");
            throw new STSException("No token canceller found for requested token type: " + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        if (tokenResponse.getToken().getState() != STATE.CANCELLED) {
            LOG.log(Level.WARNING, "Token cancellation failed.");
            throw new STSException("Token cancellation failed.");
        }
        // prepare response
        try {
            RequestSecurityTokenResponseType response = createResponse(tokenRequirements);
            STSCancelSuccessEvent event = new STSCancelSuccessEvent(cancellerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSCancelFailureEvent event = new STSCancelFailureEvent(cancellerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : TokenCancellerParameters(org.apache.cxf.sts.token.canceller.TokenCancellerParameters) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) STSCancelSuccessEvent(org.apache.cxf.sts.event.STSCancelSuccessEvent) TokenCancellerResponse(org.apache.cxf.sts.token.canceller.TokenCancellerResponse) STSCancelFailureEvent(org.apache.cxf.sts.event.STSCancelFailureEvent) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenCanceller(org.apache.cxf.sts.token.canceller.TokenCanceller)

Example 37 with KeyRequirements

use of org.apache.cxf.sts.request.KeyRequirements in project cxf by apache.

the class TokenIssueOperation method issueSingle.

public RequestSecurityTokenResponseType issueSingle(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenProviderParameters providerParameters = new TokenProviderParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
        providerParameters.setClaimsManager(claimsManager);
        String realm = providerParameters.getRealm();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        String tokenType = tokenRequirements.getTokenType();
        if (stsProperties.getSamlRealmCodec() != null) {
            SamlAssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(messageContext);
            if (assertion != null) {
                String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
                SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
                }
                ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
                wssecToken.setState(STATE.VALID);
                TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
                tokenResponse.setPrincipal(samlPrincipal);
                tokenResponse.setToken(wssecToken);
                tokenResponse.setTokenRealm(wssecRealm);
                tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
                processValidToken(providerParameters, wssecToken, tokenResponse);
                providerParameters.setPrincipal(wssecToken.getPrincipal());
            }
        }
        // Validate OnBehalfOf token if present
        if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
            ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
            handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
        }
        // See whether ActAs is allowed or not
        if (providerParameters.getTokenRequirements().getActAs() != null) {
            ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
            handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
        }
        // create token
        TokenProviderResponse tokenResponse = null;
        for (TokenProvider tokenProvider : tokenProviders) {
            boolean canHandle = false;
            if (realm == null) {
                canHandle = tokenProvider.canHandleToken(tokenType);
            } else {
                canHandle = tokenProvider.canHandleToken(tokenType, realm);
            }
            if (canHandle) {
                try {
                    tokenResponse = tokenProvider.createToken(providerParameters);
                } catch (STSException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw ex;
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenResponse == null || tokenResponse.getToken() == null) {
            LOG.log(Level.WARNING, "No token provider found for requested token type: " + tokenType);
            throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
        }
        // prepare response
        try {
            KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
            EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
            RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenResponse, tokenRequirements, keyRequirements);
            STSIssueSuccessEvent event = new STSIssueSuccessEvent(providerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        LOG.log(Level.SEVERE, "Cannot issue token: " + ex.getMessage(), ex);
        STSIssueFailureEvent event = new STSIssueFailureEvent(providerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl) STSIssueSuccessEvent(org.apache.cxf.sts.event.STSIssueSuccessEvent) STSIssueFailureEvent(org.apache.cxf.sts.event.STSIssueFailureEvent)

Example 38 with KeyRequirements

use of org.apache.cxf.sts.request.KeyRequirements in project cxf by apache.

the class DefaultSubjectProvider method createSubjectBean.

/**
 * Create the SubjectBean using the specified principal.
 */
protected SubjectBean createSubjectBean(Principal principal, SubjectProviderParameters subjectProviderParameters) {
    TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
    TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
    KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
    String tokenType = tokenRequirements.getTokenType();
    String keyType = keyRequirements.getKeyType();
    String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType);
    String subjectName = principal.getName();
    String localSubjectNameIDFormat = subjectNameIDFormat;
    if (SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(localSubjectNameIDFormat) && principal instanceof X500Principal) {
        // Just use the "cn" instead of the entire DN
        try {
            LdapName ln = new LdapName(principal.getName());
            for (Rdn rdn : ln.getRdns()) {
                if ("CN".equalsIgnoreCase(rdn.getType()) && (rdn.getValue() instanceof String)) {
                    subjectName = (String) rdn.getValue();
                    break;
                }
            }
        } catch (Throwable ex) {
            subjectName = principal.getName();
        // Ignore, not X500 compliant thus use the whole string as the value
        }
    } else if (!SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(localSubjectNameIDFormat)) {
        /* Set subjectNameIDFormat correctly based on type of principal
                unless already set to some value other than unspecified */
        if (principal instanceof UsernameTokenPrincipal) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_PERSISTENT;
        } else if (principal instanceof X500Principal) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_X509_SUBJECT_NAME;
        } else if (principal instanceof KerberosPrincipal) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_KERBEROS;
        } else if (localSubjectNameIDFormat == null) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_UNSPECIFIED;
        }
    }
    SubjectBean subjectBean = new SubjectBean(subjectName, subjectNameQualifier, confirmationMethod);
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("Creating new subject with principal name: " + principal.getName());
    }
    subjectBean.setSubjectNameIDFormat(localSubjectNameIDFormat);
    return subjectBean;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal) X500Principal(javax.security.auth.x500.X500Principal) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) Rdn(javax.naming.ldap.Rdn) LdapName(javax.naming.ldap.LdapName)

Example 39 with KeyRequirements

use of org.apache.cxf.sts.request.KeyRequirements in project cxf by apache.

the class JexlIssueSamlClaimsTest method createProviderParameters.

private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();
    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);
    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    parameters.setKeyRequirements(keyRequirements);
    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);
    parameters.setAppliesToAddress("http://dummy-service.com/dummy");
    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);
    parameters.setEncryptionProperties(new EncryptionProperties());
    return parameters;
}
Also used : CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) MessageImpl(org.apache.cxf.message.MessageImpl) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 40 with KeyRequirements

use of org.apache.cxf.sts.request.KeyRequirements in project cxf by apache.

the class IssueJWTClaimsUnitTest method createProviderParameters.

private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();
    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);
    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    parameters.setKeyRequirements(keyRequirements);
    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);
    parameters.setAppliesToAddress("http://dummy-service.com/dummy");
    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);
    parameters.setEncryptionProperties(new EncryptionProperties());
    return parameters;
}
Also used : CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) MessageImpl(org.apache.cxf.message.MessageImpl) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Aggregations

KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)70 TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)63 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)54 MessageImpl (org.apache.cxf.message.MessageImpl)54 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)54 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)54 EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)46 Crypto (org.apache.wss4j.common.crypto.Crypto)37 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)36 TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)28 STSException (org.apache.cxf.ws.security.sts.provider.STSException)10 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)7 ReceivedKey (org.apache.cxf.sts.request.ReceivedKey)4 CryptoType (org.apache.wss4j.common.crypto.CryptoType)4 Element (org.w3c.dom.Element)4 X509Certificate (java.security.cert.X509Certificate)3 RequestRequirements (org.apache.cxf.sts.request.RequestRequirements)3 TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)3 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)3 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)3