Search in sources :

Example 1 with TokenRequirements

use of org.apache.cxf.sts.request.TokenRequirements in project ddf by codice.

the class AuthNStatementProvider method getStatement.

/*
     * (non-Javadoc)
     * 
     * @see
     * org.apache.cxf.sts.token.provider.AuthenticationStatementProvider#getStatement(org.apache
     * .cxf.sts.token.provider.TokenProviderParameters)
     */
@Override
public AuthenticationStatementBean getStatement(TokenProviderParameters providerParameters) {
    AuthenticationStatementBean authBean = new AuthenticationStatementBean();
    authBean.setSessionIndex(Integer.toString(secureRandom.nextInt()));
    TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
    ReceivedToken receivedToken = null;
    if (tokenRequirements.getValidateTarget() != null) {
        receivedToken = tokenRequirements.getValidateTarget();
    } else if (tokenRequirements.getOnBehalfOf() != null) {
        receivedToken = tokenRequirements.getOnBehalfOf();
    } else if (tokenRequirements.getActAs() != null) {
        receivedToken = tokenRequirements.getActAs();
    } else if (tokenRequirements.getRenewTarget() != null) {
        receivedToken = tokenRequirements.getRenewTarget();
    }
    if (receivedToken != null) {
        Principal principal = receivedToken.getPrincipal();
        if (principal instanceof UsernameTokenPrincipal) {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_PASSWORD_PROTECTED_TRANSPORT);
        } else if (principal instanceof X500Principal) {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_X509);
        } else if (principal instanceof KerberosPrincipal) {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_KERBEROS);
        } else {
            authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_UNSPECIFIED);
        }
    } else {
        authBean.setAuthenticationMethod(SAML2Constants.AUTH_CONTEXT_CLASS_REF_UNSPECIFIED);
    }
    return authBean;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) X500Principal(javax.security.auth.x500.X500Principal) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Principal(java.security.Principal) X500Principal(javax.security.auth.x500.X500Principal) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)

Example 2 with TokenRequirements

use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.

the class AbstractOperation method performDelegationHandling.

protected void performDelegationHandling(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext, ReceivedToken token, Principal tokenPrincipal, Set<Principal> tokenRoles) {
    TokenDelegationParameters delegationParameters = new TokenDelegationParameters();
    delegationParameters.setStsProperties(stsProperties);
    delegationParameters.setPrincipal(principal);
    delegationParameters.setMessageContext(messageContext);
    delegationParameters.setTokenStore(getTokenStore());
    delegationParameters.setTokenPrincipal(tokenPrincipal);
    delegationParameters.setTokenRoles(tokenRoles);
    KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
    TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
    delegationParameters.setKeyRequirements(keyRequirements);
    delegationParameters.setTokenRequirements(tokenRequirements);
    // Extract AppliesTo
    String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
    delegationParameters.setAppliesToAddress(address);
    delegationParameters.setToken(token);
    TokenDelegationResponse tokenResponse = null;
    for (TokenDelegationHandler delegationHandler : delegationHandlers) {
        if (delegationHandler.canHandleToken(token)) {
            try {
                tokenResponse = delegationHandler.isDelegationAllowed(delegationParameters);
            } catch (RuntimeException ex) {
                LOG.log(Level.WARNING, "", ex);
                throw new STSException("Error in delegation handling", ex, STSException.REQUEST_FAILED);
            }
            break;
        }
    }
    if (tokenResponse == null || !tokenResponse.isDelegationAllowed()) {
        LOG.log(Level.WARNING, "No matching token delegation handler found");
        throw new STSException("No matching token delegation handler found", STSException.REQUEST_FAILED);
    }
}
Also used : TokenDelegationParameters(org.apache.cxf.sts.token.delegation.TokenDelegationParameters) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse) TokenDelegationHandler(org.apache.cxf.sts.token.delegation.TokenDelegationHandler)

Example 3 with TokenRequirements

use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.

the class AbstractOperation method createTokenProviderParameters.

/**
 * Create a TokenProviderParameters object
 */
protected TokenProviderParameters createTokenProviderParameters(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext) {
    TokenProviderParameters providerParameters = new TokenProviderParameters();
    providerParameters.setStsProperties(stsProperties);
    providerParameters.setPrincipal(principal);
    providerParameters.setMessageContext(messageContext);
    providerParameters.setTokenStore(getTokenStore());
    providerParameters.setEncryptToken(encryptIssuedToken);
    KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
    TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
    providerParameters.setKeyRequirements(keyRequirements);
    providerParameters.setTokenRequirements(tokenRequirements);
    // Extract AppliesTo
    String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("The AppliesTo address that has been received is: " + address);
    }
    providerParameters.setAppliesToAddress(address);
    // Get the realm of the request
    if (stsProperties.getRealmParser() != null) {
        RealmParser realmParser = stsProperties.getRealmParser();
        String realm = realmParser.parseRealm(messageContext);
        providerParameters.setRealm(realm);
    }
    // Set the requested Claims
    ClaimCollection claims = tokenRequirements.getPrimaryClaims();
    providerParameters.setRequestedPrimaryClaims(claims);
    claims = tokenRequirements.getSecondaryClaims();
    providerParameters.setRequestedSecondaryClaims(claims);
    EncryptionProperties encryptionProperties = stsProperties.getEncryptionProperties();
    if (address != null) {
        boolean foundService = false;
        // Get the stored Service object corresponding to the Service endpoint
        if (services != null) {
            for (ServiceMBean service : services) {
                if (service.isAddressInEndpoints(address)) {
                    EncryptionProperties svcEncryptionProperties = service.getEncryptionProperties();
                    if (svcEncryptionProperties != null) {
                        encryptionProperties = svcEncryptionProperties;
                    }
                    if (tokenRequirements.getTokenType() == null) {
                        String tokenType = service.getTokenType();
                        tokenRequirements.setTokenType(tokenType);
                        LOG.fine("Using default token type of: " + tokenType);
                    }
                    if (keyRequirements.getKeyType() == null) {
                        String keyType = service.getKeyType();
                        keyRequirements.setKeyType(keyType);
                        LOG.fine("Using default key type of: " + keyType);
                    }
                    foundService = true;
                    break;
                }
            }
        }
        if (!foundService) {
            String msg = "No service corresponding to " + address + " is known. Check 'services' property configuration in SecurityTokenServiceProvider";
            LOG.log(Level.SEVERE, msg);
            throw new STSException(msg, STSException.REQUEST_FAILED);
        }
    }
    providerParameters.setEncryptionProperties(encryptionProperties);
    return providerParameters;
}
Also used : RealmParser(org.apache.cxf.sts.RealmParser) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 4 with TokenRequirements

use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.

the class TokenRenewOperation method renew.

public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        renewerParameters.setStsProperties(stsProperties);
        renewerParameters.setPrincipal(principal);
        renewerParameters.setMessageContext(messageContext);
        renewerParameters.setTokenStore(getTokenStore());
        renewerParameters.setKeyRequirements(keyRequirements);
        renewerParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
        if (renewTarget == null || renewTarget.getToken() == null) {
            throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
        }
        renewerParameters.setToken(renewTarget);
        if (tokenRequirements.getTokenType() == null) {
            LOG.fine("Received TokenType is null");
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        renewerParameters.setRealm(realm);
        // Validate the request
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            renewTarget.setState(STATE.INVALID);
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // Reject an invalid token
        if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
            LOG.fine("The token is not valid or expired, and so it cannot be renewed");
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // 
        // Renew the token
        // 
        TokenRenewerResponse tokenRenewerResponse = null;
        renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
        Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
        if (additionalProperties != null) {
            renewerParameters.setAdditionalProperties(additionalProperties);
        }
        renewerParameters.setRealm(tokenResponse.getTokenRealm());
        renewerParameters.setToken(tokenResponse.getToken());
        realm = tokenResponse.getTokenRealm();
        for (TokenRenewer tokenRenewer : tokenRenewers) {
            boolean canHandle = false;
            if (realm == null) {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
            } else {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
            }
            if (canHandle) {
                try {
                    tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
                } catch (STSException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw ex;
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
            LOG.fine("No Token Renewer has been found that can handle this token");
            throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
        }
        // prepare response
        try {
            EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
            RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
            STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : STSRenewSuccessEvent(org.apache.cxf.sts.event.STSRenewSuccessEvent) TokenRenewerResponse(org.apache.cxf.sts.token.renewer.TokenRenewerResponse) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RealmParser(org.apache.cxf.sts.RealmParser) STSRenewFailureEvent(org.apache.cxf.sts.event.STSRenewFailureEvent) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenRenewerParameters(org.apache.cxf.sts.token.renewer.TokenRenewerParameters) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenRenewer(org.apache.cxf.sts.token.renewer.TokenRenewer)

Example 5 with TokenRequirements

use of org.apache.cxf.sts.request.TokenRequirements in project cxf by apache.

the class TokenValidateOperation method validate.

public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        validatorParameters.setStsProperties(stsProperties);
        validatorParameters.setPrincipal(principal);
        validatorParameters.setMessageContext(messageContext);
        validatorParameters.setTokenStore(getTokenStore());
        // validatorParameters.setKeyRequirements(keyRequirements);
        validatorParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
        if (validateTarget == null || validateTarget.getToken() == null) {
            throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
        }
        validatorParameters.setToken(validateTarget);
        if (tokenRequirements.getTokenType() == null) {
            tokenRequirements.setTokenType(STSConstants.STATUS);
            LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        validatorParameters.setRealm(realm);
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            tokenResponse = new TokenValidatorResponse();
            validateTarget.setState(STATE.INVALID);
            tokenResponse.setToken(validateTarget);
        }
        // 
        // Create a new token (if requested)
        // 
        TokenProviderResponse tokenProviderResponse = null;
        String tokenType = tokenRequirements.getTokenType();
        if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
            TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
            processValidToken(providerParameters, validateTarget, tokenResponse);
            // Check if the requested claims can be handled by the configured claim handlers
            providerParameters.setClaimsManager(claimsManager);
            Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
            if (additionalProperties != null) {
                providerParameters.setAdditionalProperties(additionalProperties);
            }
            realm = providerParameters.getRealm();
            for (TokenProvider tokenProvider : tokenProviders) {
                boolean canHandle = false;
                if (realm == null) {
                    canHandle = tokenProvider.canHandleToken(tokenType);
                } else {
                    canHandle = tokenProvider.canHandleToken(tokenType, realm);
                }
                if (canHandle) {
                    try {
                        tokenProviderResponse = tokenProvider.createToken(providerParameters);
                    } catch (STSException ex) {
                        LOG.log(Level.WARNING, "", ex);
                        throw ex;
                    } catch (RuntimeException ex) {
                        LOG.log(Level.WARNING, "", ex);
                        throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                    }
                    break;
                }
            }
            if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
                LOG.fine("No Token Provider has been found that can handle this token");
                throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
            }
        }
        // prepare response
        try {
            RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
            STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) RealmParser(org.apache.cxf.sts.RealmParser) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) STSValidateSuccessEvent(org.apache.cxf.sts.event.STSValidateSuccessEvent) STSValidateFailureEvent(org.apache.cxf.sts.event.STSValidateFailureEvent)

Aggregations

TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)116 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)79 Crypto (org.apache.wss4j.common.crypto.Crypto)67 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)65 KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)63 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)55 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)54 MessageImpl (org.apache.cxf.message.MessageImpl)54 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)54 EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)45 TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)39 Document (org.w3c.dom.Document)33 Element (org.w3c.dom.Element)31 CallbackHandler (javax.security.auth.callback.CallbackHandler)29 STSException (org.apache.cxf.ws.security.sts.provider.STSException)18 Principal (java.security.Principal)16 TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)16 TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)15 TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)14 TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)12