use of org.apache.cxf.ws.security.policy.model.Token in project OpenAM by OpenRock.
the class OpenAMSessionTokenClientInterceptor method assertTokens.
/**
* Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
* satisfied. This method is called inbound on the client side. This method will assert that the OpenAMSessionAssertion
* has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
* and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
* SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
* as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
* so asserting the TransportToken will assert the TransportPolicy.
* @param message The SoapMessage defining the invocation.
* @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
* soap-sts instances.
*/
@Override
protected Token assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
Token token = null;
for (AssertionInfo ai : ais) {
token = (Token) ai.getAssertion();
ai.setAsserted(true);
}
ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
/*
On the server-side, isTLSinUse is used to determine a tls invocation. On the client side, pulling the
"http.scheme" and comparing it to https seems to be the approved approach:
@see org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
*/
if (isTLSInUse(message)) {
/*
if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
a SupportingToken element, a SignedSupportingToken could be specified.
*/
ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
/*
this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
it is not, resulting in the following messages, logged as FINE:
An exception was thrown when verifying that the effective policy for this request was satisfied.
However, this exception will not result in a fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
can be asserted.
*/
ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
return token;
}
use of org.apache.cxf.ws.security.policy.model.Token in project OpenAM by OpenRock.
the class OpenAMSessionTokenServerInterceptor method assertTokens.
/**
* Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
* satisfied. This method is called outbound on the server-side, and inbound on the client side. It is also called from
* processTokenAbove, following successful token validation. This method will assert that the OpenAMSessionAssertion
* has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
* and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
* SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
* as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
* so asserting the TransportToken will assert the TransportPolicy.
* @param message The SoapMessage defining the invocation.
* @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
* soap-sts instances.
*/
@Override
protected Token assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
Token token = null;
for (AssertionInfo ai : ais) {
token = (Token) ai.getAssertion();
ai.setAsserted(true);
}
ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
if (isTLSInUse(message)) {
/*
if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
a SupportingToken element, a SignedSupportingToken could be specified.
*/
ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
/*
this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
it is not, resulting in the following messages, logged as FINE:
An exception was thrown when verifying that the effective policy for this request was satisfied.
However, this exception will not result in a fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
can be asserted.
Note that this message is a bug - see
http://cxf.547215.n5.nabble.com/Custom-SecurityPolicy-Assertions-and-the-Symmetric-binding-td5754879.html#a5755303
for details. I will continue to assert the TRANSPORT_TOKEN to prevent these messages.
*/
ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
return token;
}
Aggregations