Example 86 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class SAMLTokenRenewer method validateAssertion.
private void validateAssertion(SamlAssertionWrapper assertion, ReceivedToken tokenToRenew, SecurityToken token, TokenRenewerParameters tokenParameters) throws WSSecurityException {
// Check the cached renewal properties
Map<String, Object> props = token.getProperties();
if (props == null) {
LOG.log(Level.WARNING, "Error in getting properties from cached token");
throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
}
String isAllowRenewal = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW);
String isAllowRenewalAfterExpiry = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
LOG.log(Level.WARNING, "The token is not allowed to be renewed");
throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
}
// Check to see whether the token has expired greater than the configured max expiry time
if (tokenToRenew.getState() == STATE.EXPIRED) {
if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
throw new STSException("Renewal after expiry is not allowed", STSException.REQUEST_FAILED);
}
DateTime expiryDate = getExpiryDate(assertion);
DateTime currentDate = new DateTime();
if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
throw new STSException("The token expired too long ago to be renewed", STSException.REQUEST_FAILED);
}
}
// Verify Proof of Possession
ProofOfPossessionValidator popValidator = new ProofOfPossessionValidator();
if (verifyProofOfPossession) {
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
Crypto sigCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
WSDocInfo docInfo = new WSDocInfo(((Element) tokenToRenew.getToken()).getOwnerDocument());
requestData.setWsDocInfo(docInfo);
// Parse the HOK subject if it exists
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), sigCrypto, callbackHandler);
SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
if (keyInfo == null) {
keyInfo = new SAMLKeyInfo((byte[]) null);
}
if (!popValidator.checkProofOfPossession(tokenParameters, keyInfo)) {
throw new STSException("Failed to verify the proof of possession of the key associated with the " + "saml token. No matching key found in the request.", STSException.INVALID_REQUEST);
}
}
// Check the AppliesTo address
String appliesToAddress = tokenParameters.getAppliesToAddress();
if (appliesToAddress != null) {
if (assertion.getSaml1() != null) {
List<AudienceRestrictionCondition> restrConditions = assertion.getSaml1().getConditions().getAudienceRestrictionConditions();
if (!matchSaml1AudienceRestriction(appliesToAddress, restrConditions)) {
LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
}
} else {
List<AudienceRestriction> audienceRestrs = assertion.getSaml2().getConditions().getAudienceRestrictions();
if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) {
LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
}
}
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
DateTime(org.joda.time.DateTime)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AudienceRestriction(org.opensaml.saml.saml2.core.AudienceRestriction)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
RequestData(org.apache.wss4j.dom.handler.RequestData)
AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Example 87 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class ActAsAttributeStatementProvider method getStatement.
/**
* Get an AttributeStatementBean using the given parameters.
*/
public AttributeStatementBean getStatement(TokenProviderParameters providerParameters) {
AttributeStatementBean attrBean = new AttributeStatementBean();
TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
ReceivedToken actAs = tokenRequirements.getActAs();
try {
if (actAs != null) {
List<AttributeBean> attributeList = new ArrayList<>();
String tokenType = tokenRequirements.getTokenType();
AttributeBean parameterBean = handleAdditionalParameters(actAs.getToken(), tokenType);
if (!parameterBean.getAttributeValues().isEmpty()) {
attributeList.add(parameterBean);
}
attrBean.setSamlAttributes(attributeList);
}
} catch (WSSecurityException ex) {
throw new STSException(ex.getMessage(), ex);
}
return attrBean;
}
Also used :
AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
ArrayList(java.util.ArrayList)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
AttributeBean(org.apache.wss4j.common.saml.bean.AttributeBean)
Aggregations
STSException (org.apache.cxf.ws.security.sts.provider.STSException)87
Element (org.w3c.dom.Element)33
Crypto (org.apache.wss4j.common.crypto.Crypto)31
JAXBElement (javax.xml.bind.JAXBElement)30
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)26
RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)26
RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)26
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)25
MessageImpl (org.apache.cxf.message.MessageImpl)25
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)24
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)24
ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)21
StaticService (org.apache.cxf.sts.service.StaticService)20
RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)18
Document (org.w3c.dom.Document)18
Principal (java.security.Principal)14
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)14
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)14
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)13
SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)13
