Example 71 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class ClaimsManager method retrieveClaimValues.
public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claims, ClaimsParameters parameters) {
if (claims == null || claims.isEmpty()) {
return null;
}
Relationship relationship = null;
if (parameters.getAdditionalProperties() != null) {
relationship = (Relationship) parameters.getAdditionalProperties().get(Relationship.class.getName());
}
if (relationship == null || relationship.getType().equals(Relationship.FED_TYPE_IDENTITY)) {
// Federate identity. Identity already mapped.
// Call all configured claims handlers to retrieve the required claims
ProcessedClaimCollection returnCollection = handleClaims(claims, parameters);
validateClaimValues(claims, returnCollection);
return returnCollection;
}
// Federate claims
ClaimsMapper claimsMapper = relationship.getClaimsMapper();
if (claimsMapper == null) {
LOG.log(Level.SEVERE, "ClaimsMapper required to federate claims but not configured.");
throw new STSException("ClaimsMapper required to federate claims but not configured", STSException.BAD_REQUEST);
}
// Get the claims of the received token (only SAML supported)
// Consider refactoring to use a CallbackHandler and keep ClaimsManager token independent
SamlAssertionWrapper assertion = (SamlAssertionWrapper) parameters.getAdditionalProperties().get(SamlAssertionWrapper.class.getName());
final List<ProcessedClaim> claimList;
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
claimList = this.parseClaimsInAssertion(assertion.getSaml2());
} else {
claimList = this.parseClaimsInAssertion(assertion.getSaml1());
}
ProcessedClaimCollection sourceClaims = new ProcessedClaimCollection();
sourceClaims.addAll(claimList);
ProcessedClaimCollection targetClaims = claimsMapper.mapClaims(relationship.getSourceRealm(), sourceClaims, relationship.getTargetRealm(), parameters);
validateClaimValues(claims, targetClaims);
return targetClaims;
}
Also used :
Relationship(org.apache.cxf.sts.token.realm.Relationship)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Example 72 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class ClaimsManager method validateClaimValues.
private boolean validateClaimValues(ClaimCollection requestedClaims, ProcessedClaimCollection claims) {
for (Claim claim : requestedClaims) {
String claimType = claim.getClaimType();
boolean found = false;
if (!claim.isOptional()) {
for (ProcessedClaim c : claims) {
if (c.getClaimType().equals(claimType)) {
found = true;
break;
}
}
if (!found) {
LOG.warning("Mandatory claim not found: " + claim.getClaimType());
throw new STSException("Mandatory claim '" + claim.getClaimType() + "' not found");
}
}
}
return true;
}
Also used :
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Claim(org.apache.cxf.rt.security.claims.Claim)
Example 73 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class ClaimsManager method isCurrentRealmSupported.
private boolean isCurrentRealmSupported(ClaimsHandler handler, ClaimsParameters parameters) {
if (!(handler instanceof RealmSupport)) {
return true;
}
RealmSupport handlerRealmSupport = (RealmSupport) handler;
// Check whether the handler supports the current realm
if (handlerRealmSupport.getSupportedRealms() != null && handlerRealmSupport.getSupportedRealms().size() > 0 && handlerRealmSupport.getSupportedRealms().indexOf(parameters.getRealm()) == -1) {
if (LOG.isLoggable(Level.FINER)) {
LOG.finer("Handler '" + handlerRealmSupport.getClass().getName() + "' doesn't support" + " realm '" + parameters.getRealm() + "'");
}
return false;
}
// do an identity mapping
if (handlerRealmSupport.getHandlerRealm() != null && !handlerRealmSupport.getHandlerRealm().equalsIgnoreCase(parameters.getRealm())) {
final Principal targetPrincipal;
try {
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Mapping user '" + parameters.getPrincipal().getName() + "' [" + parameters.getRealm() + "] to realm '" + handlerRealmSupport.getHandlerRealm() + "'");
}
targetPrincipal = doMapping(parameters.getRealm(), parameters.getPrincipal(), handlerRealmSupport.getHandlerRealm());
} catch (Exception ex) {
LOG.log(Level.WARNING, "Failed to map user '" + parameters.getPrincipal().getName() + "' [" + parameters.getRealm() + "] to realm '" + handlerRealmSupport.getHandlerRealm() + "'", ex);
throw new STSException("Failed to map user for claims handler", STSException.REQUEST_FAILED);
}
if (targetPrincipal == null || targetPrincipal.getName() == null) {
LOG.log(Level.WARNING, "Null. Failed to map user '" + parameters.getPrincipal().getName() + "' [" + parameters.getRealm() + "] to realm '" + handlerRealmSupport.getHandlerRealm() + "'");
return false;
}
if (LOG.isLoggable(Level.INFO)) {
LOG.info("Principal '" + targetPrincipal.getName() + "' passed to handler '" + handlerRealmSupport.getClass().getName() + "'");
}
parameters.setPrincipal(targetPrincipal);
} else {
if (LOG.isLoggable(Level.FINER)) {
LOG.finer("Handler '" + handlerRealmSupport.getClass().getName() + "' doesn't require" + " identity mapping '" + parameters.getRealm() + "'");
}
}
return true;
}
Also used :
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Principal(java.security.Principal)
URISyntaxException(java.net.URISyntaxException)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
RealmSupport(org.apache.cxf.sts.token.realm.RealmSupport)
Example 74 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class TokenIssueOperation method issueSingle.
public RequestSecurityTokenResponseType issueSingle(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenProviderParameters providerParameters = new TokenProviderParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
providerParameters.setClaimsManager(claimsManager);
String realm = providerParameters.getRealm();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
String tokenType = tokenRequirements.getTokenType();
if (stsProperties.getSamlRealmCodec() != null) {
SamlAssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(messageContext);
if (assertion != null) {
String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipalImpl(assertion);
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
}
ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
wssecToken.setState(STATE.VALID);
TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
tokenResponse.setPrincipal(samlPrincipal);
tokenResponse.setToken(wssecToken);
tokenResponse.setTokenRealm(wssecRealm);
tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
processValidToken(providerParameters, wssecToken, tokenResponse);
providerParameters.setPrincipal(wssecToken.getPrincipal());
}
}
// Validate OnBehalfOf token if present
if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getOnBehalfOf();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// See whether ActAs is allowed or not
if (providerParameters.getTokenRequirements().getActAs() != null) {
ReceivedToken validateTarget = providerParameters.getTokenRequirements().getActAs();
handleDelegationToken(validateTarget, providerParameters, principal, messageContext, realm, requestRequirements);
}
// create token
TokenProviderResponse tokenResponse = null;
for (TokenProvider tokenProvider : tokenProviders) {
final boolean canHandle;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || tokenResponse.getToken() == null) {
LOG.log(Level.WARNING, "No token provider found for requested token type: " + tokenType);
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
// prepare response
try {
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenResponse, tokenRequirements, keyRequirements);
STSIssueSuccessEvent event = new STSIssueSuccessEvent(providerParameters, System.currentTimeMillis() - start);
publishEvent(event);
cleanRequest(requestRequirements);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
LOG.log(Level.SEVERE, "Cannot issue token: " + ex.getMessage(), ex);
STSIssueFailureEvent event = new STSIssueFailureEvent(providerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
STSIssueSuccessEvent(org.apache.cxf.sts.event.STSIssueSuccessEvent)
STSIssueFailureEvent(org.apache.cxf.sts.event.STSIssueFailureEvent)
Example 75 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class TokenIssueOperation method handleDelegationToken.
private void handleDelegationToken(ReceivedToken validateTarget, TokenProviderParameters providerParameters, Principal principal, Map<String, Object> messageContext, String realm, RequestRequirements requestRequirements) {
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, requestRequirements.getTokenRequirements(), validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
} else if (validateTarget.getState().equals(STATE.INVALID)) {
throw new STSException("Incoming token is invalid", STSException.REQUEST_FAILED);
} else if (validateTarget.getState().equals(STATE.VALID)) {
processValidToken(providerParameters, validateTarget, tokenResponse);
} else {
// [TODO] Add plugin for validation out-of-band
// Example:
// If the requestor is in the possession of a certificate (mutual ssl handshake)
// the STS trusts the token sent in OnBehalfOf element
}
Principal tokenPrincipal = null;
Set<Principal> tokenRoles = null;
if (tokenResponse != null) {
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
providerParameters.setAdditionalProperties(additionalProperties);
}
tokenPrincipal = tokenResponse.getPrincipal();
tokenRoles = tokenResponse.getRoles();
}
// See whether OnBehalfOf/ActAs is allowed or not
performDelegationHandling(requestRequirements, principal, messageContext, validateTarget, tokenPrincipal, tokenRoles);
}
Also used :
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Principal(java.security.Principal)
Aggregations
STSException (org.apache.cxf.ws.security.sts.provider.STSException)87
Element (org.w3c.dom.Element)33
Crypto (org.apache.wss4j.common.crypto.Crypto)31
JAXBElement (javax.xml.bind.JAXBElement)30
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)26
RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)26
RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)26
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)25
MessageImpl (org.apache.cxf.message.MessageImpl)25
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)24
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)24
ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)21
StaticService (org.apache.cxf.sts.service.StaticService)20
RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)18
Document (org.w3c.dom.Document)18
Principal (java.security.Principal)14
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)14
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)14
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)13
SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)13
