Search in sources :

Example 1 with RequestSecurityTokenResponseType

use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.

the class TokenRenewOperation method renew.

public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        renewerParameters.setStsProperties(stsProperties);
        renewerParameters.setPrincipal(principal);
        renewerParameters.setMessageContext(messageContext);
        renewerParameters.setTokenStore(getTokenStore());
        renewerParameters.setKeyRequirements(keyRequirements);
        renewerParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
        if (renewTarget == null || renewTarget.getToken() == null) {
            throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
        }
        renewerParameters.setToken(renewTarget);
        if (tokenRequirements.getTokenType() == null) {
            LOG.fine("Received TokenType is null");
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        renewerParameters.setRealm(realm);
        // Validate the request
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            renewTarget.setState(STATE.INVALID);
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // Reject an invalid token
        if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
            LOG.fine("The token is not valid or expired, and so it cannot be renewed");
            throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
        }
        // 
        // Renew the token
        // 
        TokenRenewerResponse tokenRenewerResponse = null;
        renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
        Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
        if (additionalProperties != null) {
            renewerParameters.setAdditionalProperties(additionalProperties);
        }
        renewerParameters.setRealm(tokenResponse.getTokenRealm());
        renewerParameters.setToken(tokenResponse.getToken());
        realm = tokenResponse.getTokenRealm();
        for (TokenRenewer tokenRenewer : tokenRenewers) {
            final boolean canHandle;
            if (realm == null) {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
            } else {
                canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
            }
            if (canHandle) {
                try {
                    tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
                } catch (STSException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw ex;
                } catch (RuntimeException ex) {
                    LOG.log(Level.WARNING, "", ex);
                    throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                }
                break;
            }
        }
        if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
            LOG.fine("No Token Renewer has been found that can handle this token");
            throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
        }
        // prepare response
        try {
            EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
            RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
            STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            cleanRequest(requestRequirements);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : STSRenewSuccessEvent(org.apache.cxf.sts.event.STSRenewSuccessEvent) TokenRenewerResponse(org.apache.cxf.sts.token.renewer.TokenRenewerResponse) RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RealmParser(org.apache.cxf.sts.RealmParser) STSRenewFailureEvent(org.apache.cxf.sts.event.STSRenewFailureEvent) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenRenewerParameters(org.apache.cxf.sts.token.renewer.TokenRenewerParameters) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenRenewer(org.apache.cxf.sts.token.renewer.TokenRenewer)

Example 2 with RequestSecurityTokenResponseType

use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.

the class TokenRenewOperation method createResponse.

protected RequestSecurityTokenResponseType createResponse(EncryptionProperties encryptionProperties, TokenRenewerResponse tokenRenewerResponse, TokenRequirements tokenRequirements, KeyRequirements keyRequirements) throws WSSecurityException {
    RequestSecurityTokenResponseType response = QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponseType();
    String context = tokenRequirements.getContext();
    if (context != null) {
        response.setContext(context);
    }
    // TokenType
    JAXBElement<String> jaxbTokenType = QNameConstants.WS_TRUST_FACTORY.createTokenType(tokenRequirements.getTokenType());
    response.getAny().add(jaxbTokenType);
    // RequestedSecurityToken
    RequestedSecurityTokenType requestedTokenType = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityTokenType();
    JAXBElement<RequestedSecurityTokenType> requestedToken = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType);
    LOG.fine("Encrypting Issued Token: " + encryptIssuedToken);
    requestedTokenType.setAny(tokenRenewerResponse.getToken());
    response.getAny().add(requestedToken);
    if (returnReferences) {
        // RequestedAttachedReference
        TokenReference attachedReference = tokenRenewerResponse.getAttachedReference();
        final RequestedReferenceType requestedAttachedReferenceType;
        if (attachedReference != null) {
            requestedAttachedReferenceType = createRequestedReference(attachedReference, true);
        } else {
            requestedAttachedReferenceType = createRequestedReference(tokenRenewerResponse.getTokenId(), tokenRequirements.getTokenType(), true);
        }
        JAXBElement<RequestedReferenceType> requestedAttachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedAttachedReference(requestedAttachedReferenceType);
        response.getAny().add(requestedAttachedReference);
        // RequestedUnattachedReference
        TokenReference unAttachedReference = tokenRenewerResponse.getUnAttachedReference();
        final RequestedReferenceType requestedUnattachedReferenceType;
        if (unAttachedReference != null) {
            requestedUnattachedReferenceType = createRequestedReference(unAttachedReference, false);
        } else {
            requestedUnattachedReferenceType = createRequestedReference(tokenRenewerResponse.getTokenId(), tokenRequirements.getTokenType(), false);
        }
        JAXBElement<RequestedReferenceType> requestedUnattachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedUnattachedReference(requestedUnattachedReferenceType);
        response.getAny().add(requestedUnattachedReference);
    }
    // AppliesTo
    response.getAny().add(tokenRequirements.getAppliesTo());
    // Lifetime
    if (includeLifetimeElement) {
        LifetimeType lifetime = createLifetime(tokenRenewerResponse.getCreated(), tokenRenewerResponse.getExpires());
        JAXBElement<LifetimeType> lifetimeType = QNameConstants.WS_TRUST_FACTORY.createLifetime(lifetime);
        response.getAny().add(lifetimeType);
    }
    return response;
}
Also used : RequestedReferenceType(org.apache.cxf.ws.security.sts.provider.model.RequestedReferenceType) LifetimeType(org.apache.cxf.ws.security.sts.provider.model.LifetimeType) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) TokenReference(org.apache.cxf.sts.token.provider.TokenReference)

Example 3 with RequestSecurityTokenResponseType

use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.

the class TokenValidateOperation method validate.

public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
    long start = System.currentTimeMillis();
    TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
    try {
        RequestRequirements requestRequirements = parseRequest(request, messageContext);
        TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
        validatorParameters.setStsProperties(stsProperties);
        validatorParameters.setPrincipal(principal);
        validatorParameters.setMessageContext(messageContext);
        validatorParameters.setTokenStore(getTokenStore());
        // validatorParameters.setKeyRequirements(keyRequirements);
        validatorParameters.setTokenRequirements(tokenRequirements);
        ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
        if (validateTarget == null || validateTarget.getToken() == null) {
            throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
        }
        validatorParameters.setToken(validateTarget);
        if (tokenRequirements.getTokenType() == null) {
            tokenRequirements.setTokenType(STSConstants.STATUS);
            LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
        }
        // Get the realm of the request
        String realm = null;
        if (stsProperties.getRealmParser() != null) {
            RealmParser realmParser = stsProperties.getRealmParser();
            realm = realmParser.parseRealm(messageContext);
        }
        validatorParameters.setRealm(realm);
        TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
        if (tokenResponse == null) {
            LOG.fine("No Token Validator has been found that can handle this token");
            tokenResponse = new TokenValidatorResponse();
            validateTarget.setState(STATE.INVALID);
            tokenResponse.setToken(validateTarget);
        }
        // 
        // Create a new token (if requested)
        // 
        TokenProviderResponse tokenProviderResponse = null;
        String tokenType = tokenRequirements.getTokenType();
        if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
            TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
            processValidToken(providerParameters, validateTarget, tokenResponse);
            // Check if the requested claims can be handled by the configured claim handlers
            providerParameters.setClaimsManager(claimsManager);
            Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
            if (additionalProperties != null) {
                providerParameters.setAdditionalProperties(additionalProperties);
            }
            realm = providerParameters.getRealm();
            for (TokenProvider tokenProvider : tokenProviders) {
                final boolean canHandle;
                if (realm == null) {
                    canHandle = tokenProvider.canHandleToken(tokenType);
                } else {
                    canHandle = tokenProvider.canHandleToken(tokenType, realm);
                }
                if (canHandle) {
                    try {
                        tokenProviderResponse = tokenProvider.createToken(providerParameters);
                    } catch (STSException ex) {
                        LOG.log(Level.WARNING, "", ex);
                        throw ex;
                    } catch (RuntimeException ex) {
                        LOG.log(Level.WARNING, "", ex);
                        throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
                    }
                    break;
                }
            }
            if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
                LOG.fine("No Token Provider has been found that can handle this token");
                throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
            }
        }
        // prepare response
        try {
            RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
            STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
            publishEvent(event);
            cleanRequest(requestRequirements);
            return response;
        } catch (Throwable ex) {
            LOG.log(Level.WARNING, "", ex);
            throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
        }
    } catch (RuntimeException ex) {
        STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
        publishEvent(event);
        throw ex;
    }
}
Also used : RequestRequirements(org.apache.cxf.sts.request.RequestRequirements) STSException(org.apache.cxf.ws.security.sts.provider.STSException) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters) TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) RealmParser(org.apache.cxf.sts.RealmParser) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) STSValidateSuccessEvent(org.apache.cxf.sts.event.STSValidateSuccessEvent) STSValidateFailureEvent(org.apache.cxf.sts.event.STSValidateFailureEvent)

Example 4 with RequestSecurityTokenResponseType

use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.

the class TokenValidateOperation method createResponse.

protected RequestSecurityTokenResponseType createResponse(TokenValidatorResponse tokenResponse, TokenProviderResponse tokenProviderResponse, TokenRequirements tokenRequirements) throws WSSecurityException {
    RequestSecurityTokenResponseType response = QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponseType();
    String context = tokenRequirements.getContext();
    if (context != null) {
        response.setContext(context);
    }
    // TokenType
    boolean valid = tokenResponse.getToken().getState() == STATE.VALID;
    String tokenType = tokenRequirements.getTokenType();
    if (valid || STSConstants.STATUS.equals(tokenType)) {
        JAXBElement<String> jaxbTokenType = QNameConstants.WS_TRUST_FACTORY.createTokenType(tokenType);
        response.getAny().add(jaxbTokenType);
    }
    // Status
    StatusType statusType = QNameConstants.WS_TRUST_FACTORY.createStatusType();
    if (valid) {
        statusType.setCode(STSConstants.VALID_CODE);
        statusType.setReason(STSConstants.VALID_REASON);
    } else {
        statusType.setCode(STSConstants.INVALID_CODE);
        statusType.setReason(STSConstants.INVALID_REASON);
    }
    JAXBElement<StatusType> status = QNameConstants.WS_TRUST_FACTORY.createStatus(statusType);
    response.getAny().add(status);
    // RequestedSecurityToken
    if (valid && !STSConstants.STATUS.equals(tokenType) && tokenProviderResponse != null && tokenProviderResponse.getToken() != null) {
        RequestedSecurityTokenType requestedTokenType = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityTokenType();
        JAXBElement<RequestedSecurityTokenType> requestedToken = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType);
        tokenWrapper.wrapToken(tokenProviderResponse.getToken(), requestedTokenType);
        response.getAny().add(requestedToken);
        // Lifetime
        if (includeLifetimeElement) {
            LifetimeType lifetime = createLifetime(tokenProviderResponse.getCreated(), tokenProviderResponse.getExpires());
            JAXBElement<LifetimeType> lifetimeType = QNameConstants.WS_TRUST_FACTORY.createLifetime(lifetime);
            response.getAny().add(lifetimeType);
        }
        if (returnReferences) {
            // RequestedAttachedReference
            TokenReference attachedReference = tokenProviderResponse.getAttachedReference();
            final RequestedReferenceType requestedAttachedReferenceType;
            if (attachedReference != null) {
                requestedAttachedReferenceType = createRequestedReference(attachedReference, true);
            } else {
                requestedAttachedReferenceType = createRequestedReference(tokenProviderResponse.getTokenId(), tokenRequirements.getTokenType(), true);
            }
            JAXBElement<RequestedReferenceType> requestedAttachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedAttachedReference(requestedAttachedReferenceType);
            response.getAny().add(requestedAttachedReference);
            // RequestedUnattachedReference
            TokenReference unAttachedReference = tokenProviderResponse.getUnAttachedReference();
            final RequestedReferenceType requestedUnattachedReferenceType;
            if (unAttachedReference != null) {
                requestedUnattachedReferenceType = createRequestedReference(unAttachedReference, false);
            } else {
                requestedUnattachedReferenceType = createRequestedReference(tokenProviderResponse.getTokenId(), tokenRequirements.getTokenType(), false);
            }
            JAXBElement<RequestedReferenceType> requestedUnattachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedUnattachedReference(requestedUnattachedReferenceType);
            response.getAny().add(requestedUnattachedReference);
        }
    }
    return response;
}
Also used : RequestedReferenceType(org.apache.cxf.ws.security.sts.provider.model.RequestedReferenceType) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) StatusType(org.apache.cxf.ws.security.sts.provider.model.StatusType) LifetimeType(org.apache.cxf.ws.security.sts.provider.model.LifetimeType) TokenReference(org.apache.cxf.sts.token.provider.TokenReference)

Example 5 with RequestSecurityTokenResponseType

use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.

the class STSRESTTest method testExplicitlyIssueSAML2TokenViaPOST.

@org.junit.Test
public void testExplicitlyIssueSAML2TokenViaPOST() throws Exception {
    WebClient client = webClient().query("action", "issue").type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
    // Create RequestSecurityToken
    W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
    writer.writeStartElement("wst", "RequestSecurityToken", WST_NS_05_12);
    writer.writeStartElement("wst", "RequestType", WST_NS_05_12);
    writer.writeCharacters(WST_NS_05_12 + "/Issue");
    writer.writeEndElement();
    writer.writeStartElement("wst", "TokenType", WST_NS_05_12);
    writer.writeCharacters(SAML2_TOKEN_TYPE);
    writer.writeEndElement();
    writer.writeEndElement();
    RequestSecurityTokenResponseType securityResponse = client.post(new DOMSource(writer.getDocument().getDocumentElement()), RequestSecurityTokenResponseType.class);
    validateSAMLSecurityTokenResponse(securityResponse, true);
}
Also used : W3CDOMStreamWriter(org.apache.cxf.staxutils.W3CDOMStreamWriter) DOMSource(javax.xml.transform.dom.DOMSource) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) WebClient(org.apache.cxf.jaxrs.client.WebClient)

Aggregations

RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)121 JAXBElement (javax.xml.bind.JAXBElement)101 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)95 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)86 MessageImpl (org.apache.cxf.message.MessageImpl)86 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)79 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)79 Crypto (org.apache.wss4j.common.crypto.Crypto)74 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)73 Element (org.w3c.dom.Element)72 RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)63 RequestedSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType)63 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)58 StaticService (org.apache.cxf.sts.service.StaticService)58 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)57 Principal (java.security.Principal)49 SecurityContext (org.apache.cxf.security.SecurityContext)49 SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)40 Document (org.w3c.dom.Document)32 STSException (org.apache.cxf.ws.security.sts.provider.STSException)26