Example 1 with TokenProviderParameters
use of org.apache.cxf.sts.token.provider.TokenProviderParameters in project cxf by apache.
the class EventMapper method handleEvent.
protected void handleEvent(TokenProviderParametersSupport event, Map<String, Object> map) {
TokenProviderParameters params = event.getTokenParameters();
try {
HttpServletRequest req = (HttpServletRequest) params.getMessageContext().get(AbstractHTTPDestination.HTTP_REQUEST);
map.put(KEYS.REMOTE_HOST.name(), req.getRemoteHost());
map.put(KEYS.REMOTE_PORT.name(), String.valueOf(req.getRemotePort()));
map.put(KEYS.URL.name(), params.getMessageContext().get("org.apache.cxf.request.url"));
} catch (Exception ex) {
map.put(KEYS.REMOTE_HOST.name(), "N.A.");
map.put(KEYS.REMOTE_PORT.name(), "N.A.");
map.put(KEYS.URL.name(), "N.A.");
}
if (params.getTokenRequirements() != null) {
map.put(KEYS.TOKENTYPE.name(), params.getTokenRequirements().getTokenType());
if (params.getTokenRequirements().getOnBehalfOf() != null) {
map.put(KEYS.ONBEHALFOF_PRINCIPAL.name(), params.getTokenRequirements().getOnBehalfOf().getPrincipal().getName());
}
if (params.getTokenRequirements().getActAs() != null) {
map.put(KEYS.ACTAS_PRINCIPAL.name(), params.getTokenRequirements().getActAs().getPrincipal().getName());
}
}
if (params.getKeyRequirements() != null) {
map.put(KEYS.KEYTYPE.name(), params.getKeyRequirements().getKeyType());
}
if (params.getPrincipal() != null) {
map.put(KEYS.WS_SEC_PRINCIPAL.name(), params.getPrincipal().getName());
}
map.put(KEYS.REALM.name(), params.getRealm());
map.put(KEYS.APPLIESTO.name(), params.getAppliesToAddress());
if (params.getRequestedPrimaryClaims() != null) {
List<String> claims = new ArrayList<>();
for (Claim claim : params.getRequestedPrimaryClaims()) {
claims.add(claim.getClaimType().toString());
}
map.put(KEYS.CLAIMS_PRIMARY.name(), claims.toString());
}
if (params.getRequestedSecondaryClaims() != null) {
List<String> claims = new ArrayList<>();
for (Claim claim : params.getRequestedSecondaryClaims()) {
claims.add(claim.getClaimType().toString());
}
map.put(KEYS.CLAIMS_SECONDARY.name(), claims.toString());
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ArrayList(java.util.ArrayList)
Claim(org.apache.cxf.rt.security.claims.Claim)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Example 2 with TokenProviderParameters
use of org.apache.cxf.sts.token.provider.TokenProviderParameters in project cxf by apache.
the class AbstractOperation method createTokenProviderParameters.
/**
* Create a TokenProviderParameters object
*/
protected TokenProviderParameters createTokenProviderParameters(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext) {
TokenProviderParameters providerParameters = new TokenProviderParameters();
providerParameters.setStsProperties(stsProperties);
providerParameters.setPrincipal(principal);
providerParameters.setMessageContext(messageContext);
providerParameters.setTokenStore(getTokenStore());
providerParameters.setEncryptToken(encryptIssuedToken);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
providerParameters.setKeyRequirements(keyRequirements);
providerParameters.setTokenRequirements(tokenRequirements);
// Extract AppliesTo
String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("The AppliesTo address that has been received is: " + address);
}
providerParameters.setAppliesToAddress(address);
// Get the realm of the request
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
String realm = realmParser.parseRealm(messageContext);
providerParameters.setRealm(realm);
}
// Set the requested Claims
ClaimCollection claims = tokenRequirements.getPrimaryClaims();
providerParameters.setRequestedPrimaryClaims(claims);
claims = tokenRequirements.getSecondaryClaims();
providerParameters.setRequestedSecondaryClaims(claims);
EncryptionProperties encryptionProperties = stsProperties.getEncryptionProperties();
if (address != null) {
boolean foundService = false;
// Get the stored Service object corresponding to the Service endpoint
if (services != null) {
for (ServiceMBean service : services) {
if (service.isAddressInEndpoints(address)) {
EncryptionProperties svcEncryptionProperties = service.getEncryptionProperties();
if (svcEncryptionProperties != null) {
encryptionProperties = svcEncryptionProperties;
}
if (tokenRequirements.getTokenType() == null) {
String tokenType = service.getTokenType();
tokenRequirements.setTokenType(tokenType);
LOG.fine("Using default token type of: " + tokenType);
}
if (keyRequirements.getKeyType() == null) {
String keyType = service.getKeyType();
keyRequirements.setKeyType(keyType);
LOG.fine("Using default key type of: " + keyType);
}
foundService = true;
break;
}
}
}
if (!foundService) {
String msg = "No service corresponding to " + address + " is known. Check 'services' property configuration in SecurityTokenServiceProvider";
LOG.log(Level.SEVERE, msg);
throw new STSException(msg, STSException.REQUEST_FAILED);
}
}
providerParameters.setEncryptionProperties(encryptionProperties);
return providerParameters;
}
Also used :
RealmParser(org.apache.cxf.sts.RealmParser)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
ServiceMBean(org.apache.cxf.sts.service.ServiceMBean)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Example 3 with TokenProviderParameters
use of org.apache.cxf.sts.token.provider.TokenProviderParameters in project cxf by apache.
the class TokenValidateOperation method validate.
public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
validatorParameters.setStsProperties(stsProperties);
validatorParameters.setPrincipal(principal);
validatorParameters.setMessageContext(messageContext);
validatorParameters.setTokenStore(getTokenStore());
// validatorParameters.setKeyRequirements(keyRequirements);
validatorParameters.setTokenRequirements(tokenRequirements);
ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
if (validateTarget == null || validateTarget.getToken() == null) {
throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
}
validatorParameters.setToken(validateTarget);
if (tokenRequirements.getTokenType() == null) {
tokenRequirements.setTokenType(STSConstants.STATUS);
LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
validatorParameters.setRealm(realm);
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
tokenResponse = new TokenValidatorResponse();
validateTarget.setState(STATE.INVALID);
tokenResponse.setToken(validateTarget);
}
//
// Create a new token (if requested)
//
TokenProviderResponse tokenProviderResponse = null;
String tokenType = tokenRequirements.getTokenType();
if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
processValidToken(providerParameters, validateTarget, tokenResponse);
// Check if the requested claims can be handled by the configured claim handlers
providerParameters.setClaimsManager(claimsManager);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
providerParameters.setAdditionalProperties(additionalProperties);
}
realm = providerParameters.getRealm();
for (TokenProvider tokenProvider : tokenProviders) {
boolean canHandle = false;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenProviderResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
LOG.fine("No Token Provider has been found that can handle this token");
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
}
// prepare response
try {
RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
publishEvent(event);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters)
RealmParser(org.apache.cxf.sts.RealmParser)
TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
STSValidateSuccessEvent(org.apache.cxf.sts.event.STSValidateSuccessEvent)
STSValidateFailureEvent(org.apache.cxf.sts.event.STSValidateFailureEvent)
Example 4 with TokenProviderParameters
use of org.apache.cxf.sts.token.provider.TokenProviderParameters in project cxf by apache.
the class DefaultJWTClaimsProvider method getPrincipal.
/**
* Get the Principal (which is used as the Subject). By default, we check the following (in order):
* - A valid OnBehalfOf principal
* - A valid principal associated with a token received as ValidateTarget
* - The principal associated with the request. We don't need to check to see if it is "valid" here, as it
* is not parsed by the STS (but rather the WS-Security layer).
*/
protected Principal getPrincipal(JWTClaimsProviderParameters jwtClaimsProviderParameters) {
TokenProviderParameters providerParameters = jwtClaimsProviderParameters.getProviderParameters();
Principal principal = null;
// if validation was successful, the principal was set in ReceivedToken
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken receivedToken = providerParameters.getTokenRequirements().getOnBehalfOf();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
} else if (providerParameters.getTokenRequirements().getValidateTarget() != null) {
ReceivedToken receivedToken = providerParameters.getTokenRequirements().getValidateTarget();
if (receivedToken.getState().equals(STATE.VALID)) {
principal = receivedToken.getPrincipal();
}
} else {
principal = providerParameters.getPrincipal();
}
return principal;
}
Also used :
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Example 5 with TokenProviderParameters
use of org.apache.cxf.sts.token.provider.TokenProviderParameters in project cxf by apache.
the class DefaultJWTClaimsProvider method handleAudienceRestriction.
/**
* Set the audience restriction claim. The Audiences are from an AppliesTo address, and the wst:Participants
* (if either exist).
*/
protected void handleAudienceRestriction(JWTClaimsProviderParameters jwtClaimsProviderParameters, JwtClaims claims) {
TokenProviderParameters providerParameters = jwtClaimsProviderParameters.getProviderParameters();
List<String> audiences = new ArrayList<>();
String appliesToAddress = providerParameters.getAppliesToAddress();
if (appliesToAddress != null) {
audiences.add(appliesToAddress);
}
Participants participants = providerParameters.getTokenRequirements().getParticipants();
if (participants != null) {
String address = TokenProviderUtils.extractAddressFromParticipantsEPR(participants.getPrimaryParticipant());
if (address != null) {
audiences.add(address);
}
if (participants.getParticipants() != null) {
for (Object participant : participants.getParticipants()) {
if (participant != null) {
address = TokenProviderUtils.extractAddressFromParticipantsEPR(participant);
if (address != null) {
audiences.add(address);
}
}
}
}
}
if (!audiences.isEmpty()) {
claims.setAudiences(audiences);
}
}
Also used :
ArrayList(java.util.ArrayList)
Participants(org.apache.cxf.sts.request.Participants)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
Aggregations
TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)73
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)39
TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)35
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)32
KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)28
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)28
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)26
MessageImpl (org.apache.cxf.message.MessageImpl)26
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)26
Element (org.w3c.dom.Element)23
SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)22
TokenProvider (org.apache.cxf.sts.token.provider.TokenProvider)21
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)14
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)12
Crypto (org.apache.wss4j.common.crypto.Crypto)12
JWTTokenProvider (org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)10
JAXBElement (javax.xml.bind.JAXBElement)9
ArrayList (java.util.ArrayList)7
Claim (org.apache.cxf.rt.security.claims.Claim)7
ClaimCollection (org.apache.cxf.rt.security.claims.ClaimCollection)7
