use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project ddf by codice.
the class WebSSOTokenValidator method validateToken.
/**
* Validate a Token using the given TokenValidatorParameters.
*/
@Override
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
LOGGER.debug("Validating SSO Token");
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
Crypto sigCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
requestData.setCallbackHandler(callbackHandler);
LOGGER.debug("Setting validate state to invalid before check.");
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(STATE.INVALID);
response.setToken(validateTarget);
if (!validateTarget.isBinarySecurityToken()) {
LOGGER.debug("Validate target is not a binary security token, returning invalid response.");
return response;
}
LOGGER.debug("Getting binary security token from validate target");
BinarySecurityTokenType binarySecurityToken = (BinarySecurityTokenType) validateTarget.getToken();
//
// Decode the token
//
LOGGER.debug("Decoding binary security token.");
String base64Token = binarySecurityToken.getValue();
String ticket = null;
String service = null;
try {
byte[] token = Base64.getDecoder().decode(base64Token);
if (token == null || token.length == 0) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Binary security token NOT successfully decoded, is empty or null.");
}
String decodedToken = new String(token, Charset.forName("UTF-8"));
if (StringUtils.isNotBlank(decodedToken)) {
LOGGER.debug("Binary security token successfully decoded: {}", decodedToken);
// Token is in the format ticket|service
String[] parts = StringUtils.split(decodedToken, CAS_BST_SEP);
if (parts.length == 2) {
ticket = parts[0];
service = parts[1];
} else {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Was not able to parse out BST propertly. Should be in ticket|service format.");
}
} else {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "Binary security token NOT successfully decoded, is empty or null.");
}
} catch (WSSecurityException wsse) {
String msg = "Unable to decode BST into ticket and service for validation to CAS.";
LOGGER.info(msg, wsse);
return response;
}
//
try {
LOGGER.debug("Validating ticket [{}] for service [{}].", ticket, service);
// validate either returns an assertion or throws an exception
Assertion assertion = validate(ticket, service);
AttributePrincipal principal = assertion.getPrincipal();
LOGGER.debug("User name retrieved from CAS: {}", principal.getName());
response.setPrincipal(principal);
LOGGER.debug("CAS ticket successfully validated, setting state to valid.");
validateTarget.setState(STATE.VALID);
} catch (TicketValidationException e) {
LOGGER.debug("Unable to validate CAS token.", e);
}
return response;
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class AbstractOperation method validateReceivedToken.
protected TokenValidatorResponse validateReceivedToken(Principal principal, Map<String, Object> messageContext, String realm, TokenRequirements tokenRequirements, ReceivedToken token) {
token.setState(STATE.NONE);
TokenRequirements validateRequirements = new TokenRequirements();
validateRequirements.setValidateTarget(token);
TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
validatorParameters.setStsProperties(stsProperties);
validatorParameters.setPrincipal(principal);
validatorParameters.setMessageContext(messageContext);
validatorParameters.setTokenStore(getTokenStore());
validatorParameters.setKeyRequirements(null);
validatorParameters.setTokenRequirements(validateRequirements);
validatorParameters.setToken(token);
if (tokenValidators.isEmpty()) {
LOG.fine("No token validators have been configured to validate the received token");
}
TokenValidatorResponse tokenResponse = null;
for (TokenValidator tokenValidator : tokenValidators) {
boolean canHandle = false;
if (realm == null) {
canHandle = tokenValidator.canHandleToken(token);
} else {
canHandle = tokenValidator.canHandleToken(token, realm);
}
if (canHandle) {
try {
tokenResponse = tokenValidator.validateToken(validatorParameters);
token = tokenResponse.getToken();
// The parsed principal/roles is set if available. It's up to other
// components to deal with the STATE of the validation
token.setPrincipal(tokenResponse.getPrincipal());
token.setRoles(tokenResponse.getRoles());
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "Failed to validate the token", ex);
token.setState(STATE.INVALID);
}
break;
}
}
if (tokenResponse == null) {
LOG.fine("No token validator has been configured to validate the received token");
}
return tokenResponse;
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class TokenIssueOperation method issueSingle.
public RequestSecurityTokenResponseType issueSingle(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenProviderParameters providerParameters = new TokenProviderParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
providerParameters.setClaimsManager(claimsManager);
String realm = providerParameters.getRealm();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
String tokenType = tokenRequirements.getTokenType();
if (stsProperties.getSamlRealmCodec() != null) {
SamlAssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(messageContext);
if (assertion != null) {
String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
}
ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
wssecToken.setState(STATE.VALID);
TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
tokenResponse.setPrincipal(samlPrincipal);
tokenResponse.setToken(wssecToken);
tokenResponse.setTokenRealm(wssecRealm);
tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
processValidToken(providerParameters, wssecToken, tokenResponse);
providerParameters.setPrincipal(wssecToken.getPrincipal());
}
}
// Validate OnBehalfOf token if present
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// See whether ActAs is allowed or not
if (providerParameters.getTokenRequirements().getActAs() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// create token
TokenProviderResponse tokenResponse = null;
for (TokenProvider tokenProvider : tokenProviders) {
boolean canHandle = false;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || tokenResponse.getToken() == null) {
LOG.log(Level.WARNING, "No token provider found for requested token type: " + tokenType);
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
// prepare response
try {
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenResponse, tokenRequirements, keyRequirements);
STSIssueSuccessEvent event = new STSIssueSuccessEvent(providerParameters, System.currentTimeMillis() - start);
publishEvent(event);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
LOG.log(Level.SEVERE, "Cannot issue token: " + ex.getMessage(), ex);
STSIssueFailureEvent event = new STSIssueFailureEvent(providerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class TokenIssueOperation method handleDelegationToken.
private void handleDelegationToken(ReceivedToken validateTarget, TokenProviderParameters providerParameters, Principal principal, Map<String, Object> messageContext, String realm, RequestRequirements requestRequirements) {
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, requestRequirements.getTokenRequirements(), validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
} else if (validateTarget.getState().equals(STATE.INVALID)) {
throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
} else if (validateTarget.getState().equals(STATE.VALID)) {
processValidToken(providerParameters, validateTarget, tokenResponse);
} else {
// [TODO] Add plugin for validation out-of-band
// Example:
// If the requestor is in the possession of a certificate (mutual ssl handshake)
// the STS trusts the token sent in OnBehalfOf element
}
Principal tokenPrincipal = null;
Set<Principal> tokenRoles = null;
if (tokenResponse != null) {
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
providerParameters.setAdditionalProperties(additionalProperties);
}
tokenPrincipal = tokenResponse.getPrincipal();
tokenRoles = tokenResponse.getRoles();
}
// See whether OnBehalfOf/ActAs is allowed or not
performDelegationHandling(requestRequirements, principal, messageContext, validateTarget, tokenPrincipal, tokenRoles);
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class DummyTokenValidator method validateToken.
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(STATE.INVALID);
response.setToken(validateTarget);
if (validateTarget != null && validateTarget.isBinarySecurityToken()) {
BinarySecurityTokenType binarySecurity = (BinarySecurityTokenType) validateTarget.getToken();
if ("12345678".equals(binarySecurity.getValue())) {
validateTarget.setState(STATE.VALID);
}
}
return response;
}
Aggregations