Example 76 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project cxf by apache.
the class TokenCancelOperation method cancel.
public RequestSecurityTokenResponseType cancel(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenCancellerParameters cancellerParameters = new TokenCancellerParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
cancellerParameters.setStsProperties(stsProperties);
cancellerParameters.setPrincipal(principal);
cancellerParameters.setMessageContext(messageContext);
cancellerParameters.setTokenStore(getTokenStore());
cancellerParameters.setKeyRequirements(keyRequirements);
cancellerParameters.setTokenRequirements(tokenRequirements);
ReceivedToken cancelTarget = tokenRequirements.getCancelTarget();
if (cancelTarget == null || cancelTarget.getToken() == null) {
throw new STSException("No element presented for cancellation", STSException.INVALID_REQUEST);
}
cancellerParameters.setToken(cancelTarget);
if (tokenRequirements.getTokenType() == null) {
tokenRequirements.setTokenType(STSConstants.STATUS);
LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
}
//
// Cancel token
//
TokenCancellerResponse tokenResponse = null;
for (TokenCanceller tokenCanceller : tokencancellers) {
if (tokenCanceller.canHandleToken(cancelTarget)) {
try {
tokenResponse = tokenCanceller.cancelToken(cancellerParameters);
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error while cancelling a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || tokenResponse.getToken() == null) {
LOG.fine("No Token Canceller has been found that can handle this token");
throw new STSException("No token canceller found for requested token type: " + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
if (tokenResponse.getToken().getState() != STATE.CANCELLED) {
LOG.log(Level.WARNING, "Token cancellation failed.");
throw new STSException("Token cancellation failed.");
}
// prepare response
try {
RequestSecurityTokenResponseType response = createResponse(tokenRequirements);
STSCancelSuccessEvent event = new STSCancelSuccessEvent(cancellerParameters, System.currentTimeMillis() - start);
publishEvent(event);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSCancelFailureEvent event = new STSCancelFailureEvent(cancellerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
TokenCancellerParameters(org.apache.cxf.sts.token.canceller.TokenCancellerParameters)
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
STSCancelSuccessEvent(org.apache.cxf.sts.event.STSCancelSuccessEvent)
TokenCancellerResponse(org.apache.cxf.sts.token.canceller.TokenCancellerResponse)
STSCancelFailureEvent(org.apache.cxf.sts.event.STSCancelFailureEvent)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenCanceller(org.apache.cxf.sts.token.canceller.TokenCanceller)
Example 77 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project cxf by apache.
the class TokenIssueOperation method issueSingle.
public RequestSecurityTokenResponseType issueSingle(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenProviderParameters providerParameters = new TokenProviderParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
providerParameters.setClaimsManager(claimsManager);
String realm = providerParameters.getRealm();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
String tokenType = tokenRequirements.getTokenType();
if (stsProperties.getSamlRealmCodec() != null) {
SamlAssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(messageContext);
if (assertion != null) {
String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
}
ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
wssecToken.setState(STATE.VALID);
TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
tokenResponse.setPrincipal(samlPrincipal);
tokenResponse.setToken(wssecToken);
tokenResponse.setTokenRealm(wssecRealm);
tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
processValidToken(providerParameters, wssecToken, tokenResponse);
providerParameters.setPrincipal(wssecToken.getPrincipal());
}
}
// Validate OnBehalfOf token if present
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// See whether ActAs is allowed or not
if (providerParameters.getTokenRequirements().getActAs() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// create token
TokenProviderResponse tokenResponse = null;
for (TokenProvider tokenProvider : tokenProviders) {
boolean canHandle = false;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || tokenResponse.getToken() == null) {
LOG.log(Level.WARNING, "No token provider found for requested token type: " + tokenType);
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
// prepare response
try {
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenResponse, tokenRequirements, keyRequirements);
STSIssueSuccessEvent event = new STSIssueSuccessEvent(providerParameters, System.currentTimeMillis() - start);
publishEvent(event);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
LOG.log(Level.SEVERE, "Cannot issue token: " + ex.getMessage(), ex);
STSIssueFailureEvent event = new STSIssueFailureEvent(providerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
STSIssueSuccessEvent(org.apache.cxf.sts.event.STSIssueSuccessEvent)
STSIssueFailureEvent(org.apache.cxf.sts.event.STSIssueFailureEvent)
Example 78 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project cxf by apache.
the class UsernameTokenDelegationHandler method isDelegationAllowed.
public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenParameters) {
TokenDelegationResponse response = new TokenDelegationResponse();
ReceivedToken delegateTarget = tokenParameters.getToken();
response.setToken(delegateTarget);
response.setDelegationAllowed(true);
return response;
}
Also used :
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Example 79 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project cxf by apache.
the class ActAsAttributeStatementProvider method getStatement.
/**
* Get an AttributeStatementBean using the given parameters.
*/
public AttributeStatementBean getStatement(TokenProviderParameters providerParameters) {
AttributeStatementBean attrBean = new AttributeStatementBean();
TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
ReceivedToken actAs = tokenRequirements.getActAs();
try {
if (actAs != null) {
List<AttributeBean> attributeList = new ArrayList<>();
String tokenType = tokenRequirements.getTokenType();
AttributeBean parameterBean = handleAdditionalParameters(actAs.getToken(), tokenType);
if (!parameterBean.getAttributeValues().isEmpty()) {
attributeList.add(parameterBean);
}
attrBean.setSamlAttributes(attributeList);
}
} catch (WSSecurityException ex) {
throw new STSException(ex.getMessage(), ex);
}
return attrBean;
}
Also used :
AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
ArrayList(java.util.ArrayList)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)
Example 80 with ReceivedToken
use of org.apache.cxf.sts.request.ReceivedToken in project cxf by apache.
the class DefaultSubjectProvider method getPrincipal.
/**
* Get the Principal (which is used as the Subject). By default, we check the following (in order):
* - A valid OnBehalfOf principal
* - A valid principal associated with a token received as ValidateTarget
* - The principal associated with the request. We don't need to check to see if it is "valid" here, as it
* is not parsed by the STS (but rather the WS-Security layer).
*/
protected Principal getPrincipal(SubjectProviderParameters subjectProviderParameters) {
TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
Principal principal = null;
// if validation was successful, the principal was set in ReceivedToken
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
} else if (providerParameters.getTokenRequirements().getValidateTarget() != null) {
ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
} else {
principal = providerParameters.getPrincipal();
}
return principal;
}
Also used :
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
X500Principal(javax.security.auth.x500.X500Principal)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Principal(java.security.Principal)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
Aggregations
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)115
Crypto (org.apache.wss4j.common.crypto.Crypto)59
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)55
Element (org.w3c.dom.Element)44
CallbackHandler (javax.security.auth.callback.CallbackHandler)42
TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)42
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)38
Document (org.w3c.dom.Document)37
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)35
TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)32
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)26
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)25
Test (org.junit.Test)25
Principal (java.security.Principal)24
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)22
STSException (org.apache.cxf.ws.security.sts.provider.STSException)19
TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)13
TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)13
TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)13
RequestData (org.apache.wss4j.dom.handler.RequestData)13
