Search in sources :

Example 41 with TokenValidatorResponse

use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project ddf by codice.

the class WebSSOTokenValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     */
@Override
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.debug("Validating SSO Token");
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    requestData.setCallbackHandler(callbackHandler);
    LOGGER.debug("Setting validate state to invalid before check.");
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    if (!validateTarget.isBinarySecurityToken()) {
        LOGGER.debug("Validate target is not a binary security token, returning invalid response.");
        return response;
    }
    LOGGER.debug("Getting binary security token from validate target");
    BinarySecurityTokenType binarySecurityToken = (BinarySecurityTokenType) validateTarget.getToken();
    //
    // Decode the token
    //
    LOGGER.debug("Decoding binary security token.");
    String base64Token = binarySecurityToken.getValue();
    String ticket = null;
    String service = null;
    try {
        byte[] token = Base64.getDecoder().decode(base64Token);
        if (token == null || token.length == 0) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Binary security token NOT successfully decoded, is empty or null.");
        }
        String decodedToken = new String(token, Charset.forName("UTF-8"));
        if (StringUtils.isNotBlank(decodedToken)) {
            LOGGER.debug("Binary security token successfully decoded: {}", decodedToken);
            // Token is in the format ticket|service
            String[] parts = StringUtils.split(decodedToken, CAS_BST_SEP);
            if (parts.length == 2) {
                ticket = parts[0];
                service = parts[1];
            } else {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Was not able to parse out BST propertly. Should be in ticket|service format.");
            }
        } else {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Binary security token NOT successfully decoded, is empty or null.");
        }
    } catch (WSSecurityException wsse) {
        String msg = "Unable to decode BST into ticket and service for validation to CAS.";
        LOGGER.info(msg, wsse);
        return response;
    }
    //
    try {
        LOGGER.debug("Validating ticket [{}] for service [{}].", ticket, service);
        // validate either returns an assertion or throws an exception
        Assertion assertion = validate(ticket, service);
        AttributePrincipal principal = assertion.getPrincipal();
        LOGGER.debug("User name retrieved from CAS: {}", principal.getName());
        response.setPrincipal(principal);
        LOGGER.debug("CAS ticket successfully validated, setting state to valid.");
        validateTarget.setState(STATE.VALID);
    } catch (TicketValidationException e) {
        LOGGER.debug("Unable to validate CAS token.", e);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) Assertion(org.jasig.cas.client.validation.Assertion) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) RequestData(org.apache.wss4j.dom.handler.RequestData) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal) TicketValidationException(org.jasig.cas.client.validation.TicketValidationException)

Example 42 with TokenValidatorResponse

use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.

the class AbstractOperation method validateReceivedToken.

protected TokenValidatorResponse validateReceivedToken(Principal principal, Map<String, Object> messageContext, String realm, TokenRequirements tokenRequirements, ReceivedToken token) {
    token.setState(STATE.NONE);
    TokenRequirements validateRequirements = new TokenRequirements();
    validateRequirements.setValidateTarget(token);
    TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
    validatorParameters.setStsProperties(stsProperties);
    validatorParameters.setPrincipal(principal);
    validatorParameters.setMessageContext(messageContext);
    validatorParameters.setTokenStore(getTokenStore());
    validatorParameters.setKeyRequirements(null);
    validatorParameters.setTokenRequirements(validateRequirements);
    validatorParameters.setToken(token);
    if (tokenValidators.isEmpty()) {
        LOG.fine("No token validators have been configured to validate the received token");
    }
    TokenValidatorResponse tokenResponse = null;
    for (TokenValidator tokenValidator : tokenValidators) {
        boolean canHandle = false;
        if (realm == null) {
            canHandle = tokenValidator.canHandleToken(token);
        } else {
            canHandle = tokenValidator.canHandleToken(token, realm);
        }
        if (canHandle) {
            try {
                tokenResponse = tokenValidator.validateToken(validatorParameters);
                token = tokenResponse.getToken();
                // The parsed principal/roles is set if available. It's up to other
                // components to deal with the STATE of the validation
                token.setPrincipal(tokenResponse.getPrincipal());
                token.setRoles(tokenResponse.getRoles());
            } catch (RuntimeException ex) {
                LOG.log(Level.WARNING, "Failed to validate the token", ex);
                token.setState(STATE.INVALID);
            }
            break;
        }
    }
    if (tokenResponse == null) {
        LOG.fine("No token validator has been configured to validate the received token");
    }
    return tokenResponse;
}
Also used : TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)

Example 43 with TokenValidatorResponse

use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.

the class TokenIssueOperation method issueSingle.

public RequestSecurityTokenResponseType issueSingle(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenProviderParameters providerParameters = new TokenProviderParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
        providerParameters.setClaimsManager(claimsManager);
        String realm = providerParameters.getRealm();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        String tokenType = tokenRequirements.getTokenType();
        if (stsProperties.getSamlRealmCodec() != null) {
            SamlAssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(messageContext);
            if (assertion != null) {
                String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
                SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
                }
                ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
                wssecToken.setState(STATE.VALID);
                TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
                tokenResponse.setPrincipal(samlPrincipal);
                tokenResponse.setToken(wssecToken);
                tokenResponse.setTokenRealm(wssecRealm);
                tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
                processValidToken(providerParameters, wssecToken, tokenResponse);
                providerParameters.setPrincipal(wssecToken.getPrincipal());
            }
        }
        // Validate OnBehalfOf token if present
        if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
            ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
            handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
        }
        // See whether ActAs is allowed or not
        if (providerParameters.getTokenRequirements().getActAs() != null) {
            ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
            handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
        }
        // create token
        TokenProviderResponse tokenResponse = null;
        for (TokenProvider tokenProvider : tokenProviders) {
            boolean canHandle = false;
            if (realm == null) {
                canHandle = tokenProvider.canHandleToken(tokenType);
            } else {
                canHandle = tokenProvider.canHandleToken(tokenType, realm);
            }
            if (canHandle) {
                try {
                    tokenResponse = tokenProvider.createToken(providerParameters);
                } catch (STSException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw ex;
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenResponse == null || tokenResponse.getToken() == null) {
            LOG.log(Level.WARNING, "No token provider found for requested token type: " + tokenType);
            throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
        }
        // prepare response
        try {
            KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
            EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
            RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenResponse, tokenRequirements, keyRequirements);
            STSIssueSuccessEvent event = new STSIssueSuccessEvent(providerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        LOG.log(Level.SEVERE, "Cannot issue token: " + ex.getMessage(), ex);
        STSIssueFailureEvent event = new STSIssueFailureEvent(providerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl) STSIssueSuccessEvent(org.apache.cxf.sts.event.STSIssueSuccessEvent) STSIssueFailureEvent(org.apache.cxf.sts.event.STSIssueFailureEvent)

Example 44 with TokenValidatorResponse

use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.

the class TokenIssueOperation method handleDelegationToken.

private void handleDelegationToken(ReceivedToken validateTarget, TokenProviderParameters providerParameters, Principal principal, Map<String, Object> messageContext, String realm, RequestRequirements requestRequirements) {
    TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, requestRequirements.getTokenRequirements(), validateTarget);
    if (tokenResponse == null) {
        LOG.fine("No Token Validator has been found that can handle this token");
    } else if (validateTarget.getState().equals(STATE.INVALID)) {
        throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
    } else if (validateTarget.getState().equals(STATE.VALID)) {
        processValidToken(providerParameters, validateTarget, tokenResponse);
    } else {
    // [TODO] Add plugin for validation out-of-band
    // Example:
    // If the requestor is in the possession of a certificate (mutual ssl handshake)
    // the STS trusts the token sent in OnBehalfOf element
    }
    Principal tokenPrincipal = null;
    Set<Principal> tokenRoles = null;
    if (tokenResponse != null) {
        Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
        if (additionalProperties != null) {
            providerParameters.setAdditionalProperties(additionalProperties);
        }
        tokenPrincipal = tokenResponse.getPrincipal();
        tokenRoles = tokenResponse.getRoles();
    }
    // See whether OnBehalfOf/ActAs is allowed or not
    performDelegationHandling(requestRequirements, principal, messageContext, validateTarget, tokenPrincipal, tokenRoles);
}
Also used : STSException(org.apache.cxf.ws.security.sts.provider.STSException) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal) Principal(java.security.Principal)

Example 45 with TokenValidatorResponse

use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.

the class DummyTokenValidator method validateToken.

public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    if (validateTarget != null && validateTarget.isBinarySecurityToken()) {
        BinarySecurityTokenType binarySecurity = (BinarySecurityTokenType) validateTarget.getToken();
        if ("12345678".equals(binarySecurity.getValue())) {
            validateTarget.setState(STATE.VALID);
        }
    }
    return response;
}
Also used : BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)

Aggregations

TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)49 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)42 TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)31 Crypto (org.apache.wss4j.common.crypto.Crypto)25 Test (org.junit.Test)19 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)17 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)17 CallbackHandler (javax.security.auth.callback.CallbackHandler)16 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)16 TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)15 Document (org.w3c.dom.Document)15 Element (org.w3c.dom.Element)15 TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)14 BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)14 STSException (org.apache.cxf.ws.security.sts.provider.STSException)12 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)11 SAMLTokenValidator (org.apache.cxf.sts.token.validator.SAMLTokenValidator)11 RequestData (org.apache.wss4j.dom.handler.RequestData)10 Credential (org.apache.wss4j.dom.validate.Credential)9 XmlParser (org.codice.ddf.parser.xml.XmlParser)7