Example 1 with TokenRequirements
use of org.apache.cxf.sts.request.TokenRequirements in project ddf by codice.
the class AuthNStatementProvider method getStatement.
/*
* (non-Javadoc)
*
* @see
* org.apache.cxf.sts.token.provider.AuthenticationStatementProvider#getStatement(org.apache
* .cxf.sts.token.provider.TokenProviderParameters)
*/
@Override
public AuthenticationStatementBean getStatement(TokenProviderParameters providerParameters) {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
authBean.setSessionIndex(Integer.toString(secureRandom.nextInt()));
TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
ReceivedToken receivedToken = null;
if (tokenRequirements.getValidateTarget() != null) {
receivedToken = tokenRequirements.getValidateTarget();
} else if (tokenRequirements.getOnBehalfOf() != null) {
receivedToken = tokenRequirements.getOnBehalfOf();
} else if (tokenRequirements.getActAs() != null) {
receivedToken = tokenRequirements.getActAs();
} else if (tokenRequirements.getRenewTarget() != null) {
receivedToken = tokenRequirements.getRenewTarget();
}
if (receivedToken != null) {
Principal principal = receivedToken.getPrincipal();
if (principal instanceof UsernameTokenPrincipal) {
authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_PASSWORD_PROTECTED_TRANSPORT);
} else if (principal instanceof X500Principal) {
authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_X509);
} else if (principal instanceof KerberosPrincipal) {
authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_KERBEROS);
} else {
authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_UNSPECIFIED);
}
} else {
authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_UNSPECIFIED);
}
return authBean;
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean)
X500Principal(javax.security.auth.x500.X500Principal)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Principal(java.security.Principal)
X500Principal(javax.security.auth.x500.X500Principal)
UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Example 2 with TokenRequirements
use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.
the class AbstractOperation method performDelegationHandling.
protected void performDelegationHandling(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext, ReceivedToken token, Principal tokenPrincipal, Set<Principal> tokenRoles) {
TokenDelegationParameters delegationParameters = new TokenDelegationParameters();
delegationParameters.setStsProperties(stsProperties);
delegationParameters.setPrincipal(principal);
delegationParameters.setMessageContext(messageContext);
delegationParameters.setTokenStore(getTokenStore());
delegationParameters.setTokenPrincipal(tokenPrincipal);
delegationParameters.setTokenRoles(tokenRoles);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
delegationParameters.setKeyRequirements(keyRequirements);
delegationParameters.setTokenRequirements(tokenRequirements);
// Extract AppliesTo
String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
delegationParameters.setAppliesToAddress(address);
delegationParameters.setToken(token);
TokenDelegationResponse tokenResponse = null;
for (TokenDelegationHandler delegationHandler : delegationHandlers) {
if (delegationHandler.canHandleToken(token)) {
try {
tokenResponse = delegationHandler.isDelegationAllowed(delegationParameters);
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in delegation handling", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || !tokenResponse.isDelegationAllowed()) {
LOG.log(Level.WARNING, "No matching token delegation handler found");
throw new STSException("No matching token delegation handler found", STSException.REQUEST_FAILED);
}
}
Also used :
TokenDelegationParameters(org.apache.cxf.sts.token.delegation.TokenDelegationParameters)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse)
TokenDelegationHandler(org.apache.cxf.sts.token.delegation.TokenDelegationHandler)
Example 3 with TokenRequirements
use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.
the class AbstractOperation method createTokenProviderParameters.
/**
* Create a TokenProviderParameters object
*/
protected TokenProviderParameters createTokenProviderParameters(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext) {
TokenProviderParameters providerParameters = new TokenProviderParameters();
providerParameters.setStsProperties(stsProperties);
providerParameters.setPrincipal(principal);
providerParameters.setMessageContext(messageContext);
providerParameters.setTokenStore(getTokenStore());
providerParameters.setEncryptToken(encryptIssuedToken);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
providerParameters.setKeyRequirements(keyRequirements);
providerParameters.setTokenRequirements(tokenRequirements);
// Extract AppliesTo
String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("The AppliesTo address that has been received is: " + address);
}
providerParameters.setAppliesToAddress(address);
// Get the realm of the request
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
String realm = realmParser.parseRealm(messageContext);
providerParameters.setRealm(realm);
}
// Set the requested Claims
ClaimCollection claims = tokenRequirements.getPrimaryClaims();
providerParameters.setRequestedPrimaryClaims(claims);
claims = tokenRequirements.getSecondaryClaims();
providerParameters.setRequestedSecondaryClaims(claims);
EncryptionProperties encryptionProperties = stsProperties.getEncryptionProperties();
if (address != null) {
boolean foundService = false;
// Get the stored Service object corresponding to the Service endpoint
if (services != null) {
for (ServiceMBean service : services) {
if (service.isAddressInEndpoints(address)) {
EncryptionProperties svcEncryptionProperties = service.getEncryptionProperties();
if (svcEncryptionProperties != null) {
encryptionProperties = svcEncryptionProperties;
}
if (tokenRequirements.getTokenType() == null) {
String tokenType = service.getTokenType();
tokenRequirements.setTokenType(tokenType);
LOG.fine("Using default token type of: " + tokenType);
}
if (keyRequirements.getKeyType() == null) {
String keyType = service.getKeyType();
keyRequirements.setKeyType(keyType);
LOG.fine("Using default key type of: " + keyType);
}
foundService = true;
break;
}
}
}
if (!foundService) {
String msg = "No service corresponding to " + address + " is known. Check 'services' property configuration in SecurityTokenServiceProvider";
LOG.log(Level.SEVERE, msg);
throw new STSException(msg, STSException.REQUEST_FAILED);
}
}
providerParameters.setEncryptionProperties(encryptionProperties);
return providerParameters;
}
Also used :
RealmParser(org.apache.cxf.sts.RealmParser)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
ServiceMBean(org.apache.cxf.sts.service.ServiceMBean)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Example 4 with TokenRequirements
use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.
the class TokenRenewOperation method renew.
public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
renewerParameters.setStsProperties(stsProperties);
renewerParameters.setPrincipal(principal);
renewerParameters.setMessageContext(messageContext);
renewerParameters.setTokenStore(getTokenStore());
renewerParameters.setKeyRequirements(keyRequirements);
renewerParameters.setTokenRequirements(tokenRequirements);
ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
if (renewTarget == null || renewTarget.getToken() == null) {
throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
}
renewerParameters.setToken(renewTarget);
if (tokenRequirements.getTokenType() == null) {
LOG.fine("Received TokenType is null");
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
renewerParameters.setRealm(realm);
// Validate the request
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
renewTarget.setState(STATE.INVALID);
throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
// Reject an invalid token
if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
LOG.fine("The token is not valid or expired, and so it cannot be renewed");
throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
//
// Renew the token
//
TokenRenewerResponse tokenRenewerResponse = null;
renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
renewerParameters.setAdditionalProperties(additionalProperties);
}
renewerParameters.setRealm(tokenResponse.getTokenRealm());
renewerParameters.setToken(tokenResponse.getToken());
realm = tokenResponse.getTokenRealm();
for (TokenRenewer tokenRenewer : tokenRenewers) {
boolean canHandle = false;
if (realm == null) {
canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
} else {
canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
}
if (canHandle) {
try {
tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
LOG.fine("No Token Renewer has been found that can handle this token");
throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
}
// prepare response
try {
EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
publishEvent(event);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
STSRenewSuccessEvent(org.apache.cxf.sts.event.STSRenewSuccessEvent)
TokenRenewerResponse(org.apache.cxf.sts.token.renewer.TokenRenewerResponse)
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
RealmParser(org.apache.cxf.sts.RealmParser)
STSRenewFailureEvent(org.apache.cxf.sts.event.STSRenewFailureEvent)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenRenewerParameters(org.apache.cxf.sts.token.renewer.TokenRenewerParameters)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenRenewer(org.apache.cxf.sts.token.renewer.TokenRenewer)
Example 5 with TokenRequirements
use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.
the class TokenValidateOperation method validate.
public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
validatorParameters.setStsProperties(stsProperties);
validatorParameters.setPrincipal(principal);
validatorParameters.setMessageContext(messageContext);
validatorParameters.setTokenStore(getTokenStore());
// validatorParameters.setKeyRequirements(keyRequirements);
validatorParameters.setTokenRequirements(tokenRequirements);
ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
if (validateTarget == null || validateTarget.getToken() == null) {
throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
}
validatorParameters.setToken(validateTarget);
if (tokenRequirements.getTokenType() == null) {
tokenRequirements.setTokenType(STSConstants.STATUS);
LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
validatorParameters.setRealm(realm);
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
tokenResponse = new TokenValidatorResponse();
validateTarget.setState(STATE.INVALID);
tokenResponse.setToken(validateTarget);
}
//
// Create a new token (if requested)
//
TokenProviderResponse tokenProviderResponse = null;
String tokenType = tokenRequirements.getTokenType();
if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
processValidToken(providerParameters, validateTarget, tokenResponse);
// Check if the requested claims can be handled by the configured claim handlers
providerParameters.setClaimsManager(claimsManager);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
providerParameters.setAdditionalProperties(additionalProperties);
}
realm = providerParameters.getRealm();
for (TokenProvider tokenProvider : tokenProviders) {
boolean canHandle = false;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenProviderResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
LOG.fine("No Token Provider has been found that can handle this token");
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
}
// prepare response
try {
RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
publishEvent(event);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters)
RealmParser(org.apache.cxf.sts.RealmParser)
TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
STSValidateSuccessEvent(org.apache.cxf.sts.event.STSValidateSuccessEvent)
STSValidateFailureEvent(org.apache.cxf.sts.event.STSValidateFailureEvent)
Aggregations
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)116
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)79
Crypto (org.apache.wss4j.common.crypto.Crypto)67
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)65
KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)63
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)55
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)54
MessageImpl (org.apache.cxf.message.MessageImpl)54
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)54
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)45
TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)39
Document (org.w3c.dom.Document)33
Element (org.w3c.dom.Element)31
CallbackHandler (javax.security.auth.callback.CallbackHandler)29
STSException (org.apache.cxf.ws.security.sts.provider.STSException)18
Principal (java.security.Principal)16
TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)16
TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)15
TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)14
TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)12
