Examples with TokenDelegationHandler org.apache.cxf.sts.token.delegation.TokenDelegationHandler used on opensource projects

Example 1 with TokenDelegationHandler

use of org.apache.cxf.sts.token.delegation.TokenDelegationHandler in project cas by apereo.

the class CoreWsSecuritySecurityTokenServiceConfiguration method delegationHandlers.

@RefreshScope
@Bean
public List<TokenDelegationHandler> delegationHandlers() {
    final List<TokenDelegationHandler> handlers = new ArrayList<>();
    handlers.add(new SAMLDelegationHandler());
    handlers.add(new X509TokenDelegationHandler());
    return handlers;
}

Example 2 with TokenDelegationHandler

use of org.apache.cxf.sts.token.delegation.TokenDelegationHandler in project cxf by apache.

the class AbstractOperation method performDelegationHandling.

protected void performDelegationHandling(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext, ReceivedToken token, Principal tokenPrincipal, Set<Principal> tokenRoles) {
    TokenDelegationParameters delegationParameters = new TokenDelegationParameters();
    delegationParameters.setStsProperties(stsProperties);
    delegationParameters.setPrincipal(principal);
    delegationParameters.setMessageContext(messageContext);
    delegationParameters.setTokenStore(getTokenStore());
    delegationParameters.setTokenPrincipal(tokenPrincipal);
    delegationParameters.setTokenRoles(tokenRoles);
    KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
    TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
    delegationParameters.setKeyRequirements(keyRequirements);
    delegationParameters.setTokenRequirements(tokenRequirements);
    // Extract AppliesTo
    String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
    delegationParameters.setAppliesToAddress(address);
    delegationParameters.setToken(token);
    TokenDelegationResponse tokenResponse = null;
    for (TokenDelegationHandler delegationHandler : delegationHandlers) {
        if (delegationHandler.canHandleToken(token)) {
            try {
                tokenResponse = delegationHandler.isDelegationAllowed(delegationParameters);
            } catch (RuntimeException ex) {
                LOG.log(Level.WARNING, "", ex);
                throw new STSException("Error in delegation handling", ex, STSException.REQUEST_FAILED);
            }
            break;
        }
    }
    if (tokenResponse == null || !tokenResponse.isDelegationAllowed()) {
        LOG.log(Level.WARNING, "No matching token delegation handler found");
        throw new STSException("No matching token delegation handler found", STSException.REQUEST_FAILED);
    }
}

Example 3 with TokenDelegationHandler

use of org.apache.cxf.sts.token.delegation.TokenDelegationHandler in project cxf by apache.

the class IssueJWTOnbehalfofUnitTest method testIssueJWTTokenOnBehalfOfSaml2DifferentRealm.

/**
 * Test to successfully issue a JWT Token (realm "B") on-behalf-of a SAML 2 token
 * on-behalf-of token issued by realm "A".
 */
@org.junit.Test
public void testIssueJWTTokenOnBehalfOfSaml2DifferentRealm() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    JWTTokenProvider tokenProvider = new JWTTokenProvider();
    issueOperation.setTokenProviders(Collections.singletonList(tokenProvider));
    TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
    issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
    // Add Token Validator
    SAMLTokenValidator samlTokenValidator = new SAMLTokenValidator();
    samlTokenValidator.setSamlRealmCodec(new IssuerSAMLRealmCodec());
    issueOperation.setTokenValidators(Collections.singletonList(samlTokenValidator));
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    stsProperties.setRealmParser(new CustomRealmParser());
    stsProperties.setIdentityMapper(new CustomIdentityMapper());
    issueOperation.setStsProperties(stsProperties);
    Map<String, RealmProperties> realms = createSamlRealms();
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, JWTTokenProvider.JWT_TOKEN_TYPE);
    request.getAny().add(tokenType);
    // Get a SAML Token via the SAMLTokenProvider
    CallbackHandler callbackHandler = new PasswordCallbackHandler();
    Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, realms, STSConstants.BEARER_KEY_KEYTYPE);
    Document doc = samlToken.getOwnerDocument();
    samlToken = (Element) doc.appendChild(samlToken);
    OnBehalfOfType onbehalfof = new OnBehalfOfType();
    onbehalfof.setAny(samlToken);
    JAXBElement<OnBehalfOfType> onbehalfofType = new JAXBElement<OnBehalfOfType>(QNameConstants.ON_BEHALF_OF, OnBehalfOfType.class, onbehalfof);
    request.getAny().add(onbehalfofType);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    msgCtx.put("url", "https");
    tokenProvider.setRealmMap(realms);
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, null, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertFalse(securityTokenResponse.isEmpty());
    // Test the generated token.
    Element token = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            token = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(token);
    // Validate the token
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token.getTextContent());
    JwtToken jwt = jwtConsumer.getJwtToken();
    Assert.assertEquals("ALICE", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
}

Example 4 with TokenDelegationHandler

use of org.apache.cxf.sts.token.delegation.TokenDelegationHandler in project cxf by apache.

the class IssueOnbehalfofUnitTest method testIssueSaml2TokenOnBehalfOfSaml1SymmetricHOK.

/**
 * Test to successfully issue a SAML 2 token on-behalf-of a SAML 1 Symmetric HOK token
 */
@org.junit.Test
public void testIssueSaml2TokenOnBehalfOfSaml1SymmetricHOK() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    issueOperation.setTokenProviders(Collections.singletonList(new SAMLTokenProvider()));
    // Add Token Validator
    issueOperation.setTokenValidators(Collections.singletonList(new SAMLTokenValidator()));
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    // Get a SAML Token via the SAMLTokenProvider
    CallbackHandler callbackHandler = new PasswordCallbackHandler();
    Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, null, STSConstants.SYMMETRIC_KEY_TYPE);
    Document doc = samlToken.getOwnerDocument();
    samlToken = (Element) doc.appendChild(samlToken);
    OnBehalfOfType onbehalfof = new OnBehalfOfType();
    onbehalfof.setAny(samlToken);
    JAXBElement<OnBehalfOfType> onbehalfofType = new JAXBElement<OnBehalfOfType>(QNameConstants.ON_BEHALF_OF, OnBehalfOfType.class, onbehalfof);
    request.getAny().add(onbehalfofType);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    // This should fail as the default DelegationHandler does not allow HolderOfKey
    try {
        issueOperation.issue(request, null, msgCtx);
        fail("Failure expected as HolderOfKey is not allowed by default");
    } catch (STSException ex) {
    // expected
    }
    TokenDelegationHandler delegationHandler = new HOKDelegationHandler();
    issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, null, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertFalse(securityTokenResponse.isEmpty());
}

Example 5 with TokenDelegationHandler

use of org.apache.cxf.sts.token.delegation.TokenDelegationHandler in project cxf by apache.

the class IssueOnbehalfofUnitTest method testIssueSaml2TokenOnBehalfOfSaml2.

/**
 * Test to successfully issue a SAML 2 token on-behalf-of a SAML 2 token
 */
@org.junit.Test
public void testIssueSaml2TokenOnBehalfOfSaml2() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    issueOperation.setTokenProviders(Collections.singletonList(new SAMLTokenProvider()));
    // Add Token Validator
    issueOperation.setTokenValidators(Collections.singletonList(new SAMLTokenValidator()));
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
    issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    // Get a SAML Token via the SAMLTokenProvider
    CallbackHandler callbackHandler = new PasswordCallbackHandler();
    Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
    Document doc = samlToken.getOwnerDocument();
    samlToken = (Element) doc.appendChild(samlToken);
    OnBehalfOfType onbehalfof = new OnBehalfOfType();
    onbehalfof.setAny(samlToken);
    JAXBElement<OnBehalfOfType> onbehalfofType = new JAXBElement<OnBehalfOfType>(QNameConstants.ON_BEHALF_OF, OnBehalfOfType.class, onbehalfof);
    request.getAny().add(onbehalfofType);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    // Issue a token
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, null, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertFalse(securityTokenResponse.isEmpty());
}