Example 26 with EncryptionProperties
use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.
the class SAMLProviderOnBehalfOfTest method createProviderParameters.
private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Object onBehalfOf) throws WSSecurityException {
TokenProviderParameters parameters = new TokenProviderParameters();
TokenRequirements tokenRequirements = new TokenRequirements();
tokenRequirements.setTokenType(tokenType);
if (onBehalfOf != null) {
ReceivedToken onBehalfOfToken = new ReceivedToken(onBehalfOf);
onBehalfOfToken.setState(STATE.VALID);
tokenRequirements.setOnBehalfOf(onBehalfOfToken);
}
parameters.setTokenRequirements(tokenRequirements);
KeyRequirements keyRequirements = new KeyRequirements();
keyRequirements.setKeyType(keyType);
parameters.setKeyRequirements(keyRequirements);
parameters.setPrincipal(new CustomTokenPrincipal("alice"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
parameters.setMessageContext(msgCtx);
parameters.setAppliesToAddress("http://dummy-service.com/dummy");
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setSignatureCrypto(crypto);
stsProperties.setSignatureUsername("mystskey");
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
stsProperties.setIssuer("STS");
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
return parameters;
}
Also used :
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
Crypto(org.apache.wss4j.common.crypto.Crypto)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext)
PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties)
MessageImpl(org.apache.cxf.message.MessageImpl)
Example 27 with EncryptionProperties
use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.
the class DefaultSubjectProvider method createKeyInfo.
/**
* Create and return the KeyInfoBean to be inserted into the SubjectBean
*/
protected KeyInfoBean createKeyInfo(SubjectProviderParameters subjectProviderParameters) {
TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
String keyType = keyRequirements.getKeyType();
if (STSConstants.SYMMETRIC_KEY_KEYTYPE.equals(keyType)) {
Crypto crypto = stsProperties.getEncryptionCrypto();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
String encryptionName = encryptionProperties.getEncryptionName();
if (encryptionName == null) {
// Fall back on the STS encryption name
encryptionName = stsProperties.getEncryptionUsername();
}
if (encryptionName == null) {
LOG.fine("No encryption Name is configured for Symmetric KeyType");
throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
}
final CryptoType cryptoType;
// Check for using of service endpoint (AppliesTo) as certificate identifier
if (STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
if (providerParameters.getAppliesToAddress() == null) {
throw new STSException("AppliesTo is not initilaized for encryption name " + STSConstants.USE_ENDPOINT_AS_CERT_ALIAS);
}
cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
} else {
cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(encryptionName);
}
try {
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if ((certs == null) || (certs.length == 0)) {
throw new STSException("Encryption certificate is not found for alias: " + encryptionName);
}
Document doc = subjectProviderParameters.getDoc();
byte[] secret = subjectProviderParameters.getSecret();
return createEncryptedKeyKeyInfo(certs[0], secret, doc, encryptionProperties, crypto);
} catch (WSSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException(ex.getMessage(), ex);
}
} else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
ReceivedCredential receivedCredential = keyRequirements.getReceivedCredential();
// Validate UseKey trust
if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto() != null) {
if (receivedCredential.getX509Cert() != null) {
try {
Collection<Pattern> constraints = Collections.emptyList();
stsProperties.getSignatureCrypto().verifyTrust(new X509Certificate[] { receivedCredential.getX509Cert() }, false, constraints, null);
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
}
}
if (receivedCredential.getPublicKey() != null) {
try {
stsProperties.getSignatureCrypto().verifyTrust(receivedCredential.getPublicKey());
} catch (WSSecurityException e) {
LOG.log(Level.FINE, "Error in trust validation of UseKey: ", e);
throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
}
}
}
return createPublicKeyKeyInfo(receivedCredential.getX509Cert(), receivedCredential.getPublicKey());
}
return null;
}
Also used :
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
Document(org.w3c.dom.Document)
X509Certificate(java.security.cert.X509Certificate)
ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)
Crypto(org.apache.wss4j.common.crypto.Crypto)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
Collection(java.util.Collection)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
Example 28 with EncryptionProperties
use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.
the class JWTTokenProvider method encryptToken.
private String encryptToken(String token, JweHeaders jweHeaders, STSPropertiesMBean stsProperties, EncryptionProperties encryptionProperties, KeyRequirements keyRequirements) throws Exception {
Properties encProperties = new Properties();
String name = encryptionProperties.getEncryptionName();
if (name == null) {
name = stsProperties.getEncryptionUsername();
}
if (name == null) {
LOG.fine("No encryption alias is configured");
return token;
}
encProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, name);
// Get the encryption algorithm to use - for now we don't allow the client to ask
// for a particular encryption algorithm, as with SAML
String encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
try {
ContentAlgorithm.getAlgorithm(encryptionAlgorithm);
} catch (IllegalArgumentException ex) {
encryptionAlgorithm = ContentAlgorithm.A128GCM.name();
}
encProperties.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, encryptionAlgorithm);
// Get the key-wrap algorithm to use - for now we don't allow the client to ask
// for a particular encryption algorithm, as with SAML
String keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
try {
KeyAlgorithm.getAlgorithm(keyWrapAlgorithm);
} catch (IllegalArgumentException ex) {
keyWrapAlgorithm = KeyAlgorithm.RSA_OAEP.name();
}
encProperties.put(JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM, keyWrapAlgorithm);
// Initialise encryption objects with defaults of STSPropertiesMBean
Crypto encryptionCrypto = stsProperties.getEncryptionCrypto();
if (!(encryptionCrypto instanceof Merlin)) {
throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
}
KeyStore keystore = ((Merlin) encryptionCrypto).getKeyStore();
encProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
JweEncryptionProvider encProvider = JweUtils.loadEncryptionProvider(encProperties, jweHeaders);
return encProvider.encrypt(StringUtils.toBytesUTF8(token), null);
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
JweEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
Properties(java.util.Properties)
RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)
KeyStore(java.security.KeyStore)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 29 with EncryptionProperties
use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.
the class TokenIssueOperation method issueSingle.
public RequestSecurityTokenResponseType issueSingle(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenProviderParameters providerParameters = new TokenProviderParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
providerParameters.setClaimsManager(claimsManager);
String realm = providerParameters.getRealm();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
String tokenType = tokenRequirements.getTokenType();
if (stsProperties.getSamlRealmCodec() != null) {
SamlAssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(messageContext);
if (assertion != null) {
String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
}
ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
wssecToken.setState(STATE.VALID);
TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
tokenResponse.setPrincipal(samlPrincipal);
tokenResponse.setToken(wssecToken);
tokenResponse.setTokenRealm(wssecRealm);
tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
processValidToken(providerParameters, wssecToken, tokenResponse);
providerParameters.setPrincipal(wssecToken.getPrincipal());
}
}
// Validate OnBehalfOf token if present
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// See whether ActAs is allowed or not
if (providerParameters.getTokenRequirements().getActAs() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// create token
TokenProviderResponse tokenResponse = null;
for (TokenProvider tokenProvider : tokenProviders) {
final boolean canHandle;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || tokenResponse.getToken() == null) {
LOG.log(Level.WARNING, "No token provider found for requested token type: " + tokenType);
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
// prepare response
try {
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenResponse, tokenRequirements, keyRequirements);
STSIssueSuccessEvent event = new STSIssueSuccessEvent(providerParameters, System.currentTimeMillis() - start);
publishEvent(event);
cleanRequest(requestRequirements);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
LOG.log(Level.SEVERE, "Cannot issue token: " + ex.getMessage(), ex);
STSIssueFailureEvent event = new STSIssueFailureEvent(providerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
STSIssueSuccessEvent(org.apache.cxf.sts.event.STSIssueSuccessEvent)
STSIssueFailureEvent(org.apache.cxf.sts.event.STSIssueFailureEvent)
Example 30 with EncryptionProperties
use of org.apache.cxf.sts.service.EncryptionProperties in project cxf by apache.
the class IssueOnbehalfofUnitTest method createProviderParameters.
private TokenProviderParameters createProviderParameters(String tokenType, String keyType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
TokenProviderParameters parameters = new TokenProviderParameters();
TokenRequirements tokenRequirements = new TokenRequirements();
tokenRequirements.setTokenType(tokenType);
parameters.setTokenRequirements(tokenRequirements);
KeyRequirements keyRequirements = new KeyRequirements();
keyRequirements.setKeyType(keyType);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
ReceivedCredential receivedCredential = new ReceivedCredential();
receivedCredential.setX509Cert(certs[0]);
keyRequirements.setReceivedCredential(receivedCredential);
parameters.setKeyRequirements(keyRequirements);
parameters.setPrincipal(new CustomTokenPrincipal("alice"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
parameters.setMessageContext(msgCtx);
parameters.setAppliesToAddress("http://dummy-service.com/dummy");
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
stsProperties.setSignatureCrypto(crypto);
stsProperties.setSignatureUsername(signatureUsername);
stsProperties.setCallbackHandler(callbackHandler);
stsProperties.setIssuer("STS");
stsProperties.setEncryptionUsername("myservicekey");
stsProperties.setEncryptionCrypto(crypto);
parameters.setStsProperties(stsProperties);
parameters.setEncryptionProperties(new EncryptionProperties());
return parameters;
}
Also used :
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties)
MessageImpl(org.apache.cxf.message.MessageImpl)
X509Certificate(java.security.cert.X509Certificate)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
ReceivedCredential(org.apache.cxf.sts.request.ReceivedCredential)
Aggregations
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)56
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)51
MessageImpl (org.apache.cxf.message.MessageImpl)51
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)51
KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)46
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)45
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)44
Crypto (org.apache.wss4j.common.crypto.Crypto)35
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)33
TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)28
RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)11
ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)10
STSException (org.apache.cxf.ws.security.sts.provider.STSException)10
JAXBElement (javax.xml.bind.JAXBElement)9
StaticService (org.apache.cxf.sts.service.StaticService)9
RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)9
RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)9
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)6
ReceivedCredential (org.apache.cxf.sts.request.ReceivedCredential)4
CryptoType (org.apache.wss4j.common.crypto.CryptoType)4
