Example 11 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class AbstractOperation method processValidToken.
protected void processValidToken(TokenProviderParameters providerParameters, ReceivedToken validatedToken, TokenValidatorResponse tokenResponse) {
// Map the principal (if it exists)
Principal responsePrincipal = tokenResponse.getPrincipal();
if (responsePrincipal != null) {
String targetRealm = providerParameters.getRealm();
String sourceRealm = tokenResponse.getTokenRealm();
if (sourceRealm != null && targetRealm != null && !sourceRealm.equals(targetRealm)) {
RelationshipResolver relRes = stsProperties.getRelationshipResolver();
Relationship relationship = null;
if (relRes != null) {
relationship = relRes.resolveRelationship(sourceRealm, targetRealm);
if (relationship != null) {
tokenResponse.getAdditionalProperties().put(Relationship.class.getName(), relationship);
}
}
if (relationship == null || relationship.getType().equals(Relationship.FED_TYPE_IDENTITY)) {
// federate identity
final IdentityMapper identityMapper;
if (relationship == null) {
identityMapper = stsProperties.getIdentityMapper();
} else {
identityMapper = relationship.getIdentityMapper();
}
if (identityMapper != null) {
Principal targetPrincipal = identityMapper.mapPrincipal(sourceRealm, responsePrincipal, targetRealm);
validatedToken.setPrincipal(targetPrincipal);
} else {
LOG.log(Level.SEVERE, "No IdentityMapper configured in STSProperties or Relationship");
throw new STSException("Error in providing a token", STSException.REQUEST_FAILED);
}
} else if (relationship.getType().equals(Relationship.FED_TYPE_CLAIMS)) {
// federate claims
// Claims are transformed at the time when the claims are required to create a token
// (ex. ClaimsAttributeStatementProvider)
// principal remains unchanged
} else {
LOG.log(Level.SEVERE, "Unknown federation type: " + relationship.getType());
throw new STSException("Error in providing a token", STSException.BAD_REQUEST);
}
}
}
}
Also used :
RelationshipResolver(org.apache.cxf.sts.token.realm.RelationshipResolver)
IdentityMapper(org.apache.cxf.sts.IdentityMapper)
Relationship(org.apache.cxf.sts.token.realm.Relationship)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Principal(java.security.Principal)
Example 12 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class AbstractOperation method performDelegationHandling.
protected void performDelegationHandling(RequestRequirements requestRequirements, Principal principal, Map<String, Object> messageContext, ReceivedToken token, Principal tokenPrincipal, Set<Principal> tokenRoles) {
TokenDelegationParameters delegationParameters = new TokenDelegationParameters();
delegationParameters.setStsProperties(stsProperties);
delegationParameters.setPrincipal(principal);
delegationParameters.setMessageContext(messageContext);
delegationParameters.setTokenStore(getTokenStore());
delegationParameters.setTokenPrincipal(tokenPrincipal);
delegationParameters.setTokenRoles(tokenRoles);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
delegationParameters.setKeyRequirements(keyRequirements);
delegationParameters.setTokenRequirements(tokenRequirements);
// Extract AppliesTo
String address = extractAddressFromAppliesTo(tokenRequirements.getAppliesTo());
delegationParameters.setAppliesToAddress(address);
delegationParameters.setToken(token);
TokenDelegationResponse tokenResponse = null;
for (TokenDelegationHandler delegationHandler : delegationHandlers) {
if (delegationHandler.canHandleToken(token)) {
try {
tokenResponse = delegationHandler.isDelegationAllowed(delegationParameters);
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in delegation handling", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenResponse == null || !tokenResponse.isDelegationAllowed()) {
LOG.log(Level.WARNING, "No matching token delegation handler found");
throw new STSException("No matching token delegation handler found", STSException.REQUEST_FAILED);
}
}
Also used :
TokenDelegationParameters(org.apache.cxf.sts.token.delegation.TokenDelegationParameters)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse)
TokenDelegationHandler(org.apache.cxf.sts.token.delegation.TokenDelegationHandler)
Example 13 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class TokenRenewOperation method renew.
public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
renewerParameters.setStsProperties(stsProperties);
renewerParameters.setPrincipal(principal);
renewerParameters.setMessageContext(messageContext);
renewerParameters.setTokenStore(getTokenStore());
renewerParameters.setKeyRequirements(keyRequirements);
renewerParameters.setTokenRequirements(tokenRequirements);
ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
if (renewTarget == null || renewTarget.getToken() == null) {
throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
}
renewerParameters.setToken(renewTarget);
if (tokenRequirements.getTokenType() == null) {
LOG.fine("Received TokenType is null");
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
renewerParameters.setRealm(realm);
// Validate the request
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
renewTarget.setState(STATE.INVALID);
throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
// Reject an invalid token
if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
LOG.fine("The token is not valid or expired, and so it cannot be renewed");
throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
//
// Renew the token
//
TokenRenewerResponse tokenRenewerResponse = null;
renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
renewerParameters.setAdditionalProperties(additionalProperties);
}
renewerParameters.setRealm(tokenResponse.getTokenRealm());
renewerParameters.setToken(tokenResponse.getToken());
realm = tokenResponse.getTokenRealm();
for (TokenRenewer tokenRenewer : tokenRenewers) {
final boolean canHandle;
if (realm == null) {
canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
} else {
canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
}
if (canHandle) {
try {
tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
LOG.fine("No Token Renewer has been found that can handle this token");
throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
}
// prepare response
try {
EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
publishEvent(event);
cleanRequest(requestRequirements);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
STSRenewSuccessEvent(org.apache.cxf.sts.event.STSRenewSuccessEvent)
TokenRenewerResponse(org.apache.cxf.sts.token.renewer.TokenRenewerResponse)
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
RealmParser(org.apache.cxf.sts.RealmParser)
STSRenewFailureEvent(org.apache.cxf.sts.event.STSRenewFailureEvent)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenRenewerParameters(org.apache.cxf.sts.token.renewer.TokenRenewerParameters)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
KeyRequirements(org.apache.cxf.sts.request.KeyRequirements)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenRenewer(org.apache.cxf.sts.token.renewer.TokenRenewer)
Example 14 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class TokenValidateOperation method validate.
public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
validatorParameters.setStsProperties(stsProperties);
validatorParameters.setPrincipal(principal);
validatorParameters.setMessageContext(messageContext);
validatorParameters.setTokenStore(getTokenStore());
// validatorParameters.setKeyRequirements(keyRequirements);
validatorParameters.setTokenRequirements(tokenRequirements);
ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
if (validateTarget == null || validateTarget.getToken() == null) {
throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
}
validatorParameters.setToken(validateTarget);
if (tokenRequirements.getTokenType() == null) {
tokenRequirements.setTokenType(STSConstants.STATUS);
LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
validatorParameters.setRealm(realm);
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
tokenResponse = new TokenValidatorResponse();
validateTarget.setState(STATE.INVALID);
tokenResponse.setToken(validateTarget);
}
//
// Create a new token (if requested)
//
TokenProviderResponse tokenProviderResponse = null;
String tokenType = tokenRequirements.getTokenType();
if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
processValidToken(providerParameters, validateTarget, tokenResponse);
// Check if the requested claims can be handled by the configured claim handlers
providerParameters.setClaimsManager(claimsManager);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
providerParameters.setAdditionalProperties(additionalProperties);
}
realm = providerParameters.getRealm();
for (TokenProvider tokenProvider : tokenProviders) {
final boolean canHandle;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenProviderResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
LOG.fine("No Token Provider has been found that can handle this token");
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
}
// prepare response
try {
RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
publishEvent(event);
cleanRequest(requestRequirements);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
Also used :
RequestRequirements(org.apache.cxf.sts.request.RequestRequirements)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)
TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)
TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters)
RealmParser(org.apache.cxf.sts.RealmParser)
TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
STSValidateSuccessEvent(org.apache.cxf.sts.event.STSValidateSuccessEvent)
STSValidateFailureEvent(org.apache.cxf.sts.event.STSValidateFailureEvent)
Example 15 with STSException
use of org.apache.cxf.ws.security.sts.provider.STSException in project cxf by apache.
the class RequestParser method parseRequest.
public RequestRequirements parseRequest(RequestSecurityTokenType request, Map<String, Object> messageContext, STSPropertiesMBean stsProperties, List<ClaimsParser> claimsParsers) throws STSException {
LOG.fine("Parsing RequestSecurityToken");
KeyRequirements keyRequirements = new KeyRequirements();
TokenRequirements tokenRequirements = new TokenRequirements();
for (Object requestObject : request.getAny()) {
// JAXB types
if (requestObject instanceof JAXBElement<?>) {
JAXBElement<?> jaxbElement = (JAXBElement<?>) requestObject;
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Found " + jaxbElement.getName() + ": " + jaxbElement.getValue());
}
try {
boolean found = parseTokenRequirements(jaxbElement, tokenRequirements, messageContext, claimsParsers);
if (!found) {
found = parseKeyRequirements(jaxbElement, keyRequirements, messageContext, stsProperties);
}
if (!found) {
if (allowCustomContent) {
tokenRequirements.addCustomContent(jaxbElement);
} else {
LOG.log(Level.WARNING, "Found a JAXB object of unknown type: " + jaxbElement.getName());
throw new STSException("An unknown element was received", STSException.BAD_REQUEST);
}
}
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
}
// SecondaryParameters/AppliesTo
} else if (requestObject instanceof Element) {
Element element = (Element) requestObject;
if (STSConstants.WST_NS_05_12.equals(element.getNamespaceURI()) && "SecondaryParameters".equals(element.getLocalName())) {
parseSecondaryParameters(element, claimsParsers, tokenRequirements, keyRequirements);
} else if ("AppliesTo".equals(element.getLocalName()) && (STSConstants.WSP_NS.equals(element.getNamespaceURI()) || STSConstants.WSP_NS_04.equals(element.getNamespaceURI()) || STSConstants.WSP_NS_06.equals(element.getNamespaceURI()))) {
tokenRequirements.setAppliesTo(element);
LOG.fine("Found AppliesTo element");
} else if (allowCustomContent) {
tokenRequirements.addCustomContent(requestObject);
} else {
LOG.log(Level.WARNING, "An unknown (DOM) element was received: " + element.getLocalName() + " " + element.getNamespaceURI());
throw new STSException("An unknown element was received", STSException.BAD_REQUEST);
}
} else {
LOG.log(Level.WARNING, "An unknown element was received");
throw new STSException("An unknown element was received", STSException.BAD_REQUEST);
}
}
String context = request.getContext();
tokenRequirements.setContext(context);
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Received Context attribute: " + context);
}
RequestRequirements requestRequirements = new RequestRequirements();
requestRequirements.setKeyRequirements(keyRequirements);
requestRequirements.setTokenRequirements(tokenRequirements);
return requestRequirements;
}
Also used :
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
JAXBElement(javax.xml.bind.JAXBElement)
Aggregations
STSException (org.apache.cxf.ws.security.sts.provider.STSException)87
Element (org.w3c.dom.Element)33
Crypto (org.apache.wss4j.common.crypto.Crypto)31
JAXBElement (javax.xml.bind.JAXBElement)30
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)26
RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)26
RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)26
WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)25
MessageImpl (org.apache.cxf.message.MessageImpl)25
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)24
PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)24
ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)21
StaticService (org.apache.cxf.sts.service.StaticService)20
RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)18
Document (org.w3c.dom.Document)18
Principal (java.security.Principal)14
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)14
EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)14
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)13
SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)13
