use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.
the class TokenRenewOperation method renew.
public RequestSecurityTokenResponseType renew(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
KeyRequirements keyRequirements = requestRequirements.getKeyRequirements();
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
renewerParameters.setStsProperties(stsProperties);
renewerParameters.setPrincipal(principal);
renewerParameters.setMessageContext(messageContext);
renewerParameters.setTokenStore(getTokenStore());
renewerParameters.setKeyRequirements(keyRequirements);
renewerParameters.setTokenRequirements(tokenRequirements);
ReceivedToken renewTarget = tokenRequirements.getRenewTarget();
if (renewTarget == null || renewTarget.getToken() == null) {
throw new STSException("No element presented for renewal", STSException.INVALID_REQUEST);
}
renewerParameters.setToken(renewTarget);
if (tokenRequirements.getTokenType() == null) {
LOG.fine("Received TokenType is null");
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
renewerParameters.setRealm(realm);
// Validate the request
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, renewTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
renewTarget.setState(STATE.INVALID);
throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
// Reject an invalid token
if (tokenResponse.getToken().getState() != STATE.EXPIRED && tokenResponse.getToken().getState() != STATE.VALID) {
LOG.fine("The token is not valid or expired, and so it cannot be renewed");
throw new STSException("No Token Validator has been found that can handle this token" + tokenRequirements.getTokenType(), STSException.REQUEST_FAILED);
}
//
// Renew the token
//
TokenRenewerResponse tokenRenewerResponse = null;
renewerParameters = createTokenRenewerParameters(requestRequirements, principal, messageContext);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
renewerParameters.setAdditionalProperties(additionalProperties);
}
renewerParameters.setRealm(tokenResponse.getTokenRealm());
renewerParameters.setToken(tokenResponse.getToken());
realm = tokenResponse.getTokenRealm();
for (TokenRenewer tokenRenewer : tokenRenewers) {
final boolean canHandle;
if (realm == null) {
canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken());
} else {
canHandle = tokenRenewer.canHandleToken(tokenResponse.getToken(), realm);
}
if (canHandle) {
try {
tokenRenewerResponse = tokenRenewer.renewToken(renewerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenRenewerResponse == null || tokenRenewerResponse.getToken() == null) {
LOG.fine("No Token Renewer has been found that can handle this token");
throw new STSException("No token renewer found for requested token type", STSException.REQUEST_FAILED);
}
// prepare response
try {
EncryptionProperties encryptionProperties = renewerParameters.getEncryptionProperties();
RequestSecurityTokenResponseType response = createResponse(encryptionProperties, tokenRenewerResponse, tokenRequirements, keyRequirements);
STSRenewSuccessEvent event = new STSRenewSuccessEvent(renewerParameters, System.currentTimeMillis() - start);
publishEvent(event);
cleanRequest(requestRequirements);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSRenewFailureEvent event = new STSRenewFailureEvent(renewerParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.
the class TokenRenewOperation method createResponse.
protected RequestSecurityTokenResponseType createResponse(EncryptionProperties encryptionProperties, TokenRenewerResponse tokenRenewerResponse, TokenRequirements tokenRequirements, KeyRequirements keyRequirements) throws WSSecurityException {
RequestSecurityTokenResponseType response = QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponseType();
String context = tokenRequirements.getContext();
if (context != null) {
response.setContext(context);
}
// TokenType
JAXBElement<String> jaxbTokenType = QNameConstants.WS_TRUST_FACTORY.createTokenType(tokenRequirements.getTokenType());
response.getAny().add(jaxbTokenType);
// RequestedSecurityToken
RequestedSecurityTokenType requestedTokenType = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityTokenType();
JAXBElement<RequestedSecurityTokenType> requestedToken = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType);
LOG.fine("Encrypting Issued Token: " + encryptIssuedToken);
requestedTokenType.setAny(tokenRenewerResponse.getToken());
response.getAny().add(requestedToken);
if (returnReferences) {
// RequestedAttachedReference
TokenReference attachedReference = tokenRenewerResponse.getAttachedReference();
final RequestedReferenceType requestedAttachedReferenceType;
if (attachedReference != null) {
requestedAttachedReferenceType = createRequestedReference(attachedReference, true);
} else {
requestedAttachedReferenceType = createRequestedReference(tokenRenewerResponse.getTokenId(), tokenRequirements.getTokenType(), true);
}
JAXBElement<RequestedReferenceType> requestedAttachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedAttachedReference(requestedAttachedReferenceType);
response.getAny().add(requestedAttachedReference);
// RequestedUnattachedReference
TokenReference unAttachedReference = tokenRenewerResponse.getUnAttachedReference();
final RequestedReferenceType requestedUnattachedReferenceType;
if (unAttachedReference != null) {
requestedUnattachedReferenceType = createRequestedReference(unAttachedReference, false);
} else {
requestedUnattachedReferenceType = createRequestedReference(tokenRenewerResponse.getTokenId(), tokenRequirements.getTokenType(), false);
}
JAXBElement<RequestedReferenceType> requestedUnattachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedUnattachedReference(requestedUnattachedReferenceType);
response.getAny().add(requestedUnattachedReference);
}
// AppliesTo
response.getAny().add(tokenRequirements.getAppliesTo());
// Lifetime
if (includeLifetimeElement) {
LifetimeType lifetime = createLifetime(tokenRenewerResponse.getCreated(), tokenRenewerResponse.getExpires());
JAXBElement<LifetimeType> lifetimeType = QNameConstants.WS_TRUST_FACTORY.createLifetime(lifetime);
response.getAny().add(lifetimeType);
}
return response;
}
use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.
the class TokenValidateOperation method validate.
public RequestSecurityTokenResponseType validate(RequestSecurityTokenType request, Principal principal, Map<String, Object> messageContext) {
long start = System.currentTimeMillis();
TokenValidatorParameters validatorParameters = new TokenValidatorParameters();
try {
RequestRequirements requestRequirements = parseRequest(request, messageContext);
TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements();
validatorParameters.setStsProperties(stsProperties);
validatorParameters.setPrincipal(principal);
validatorParameters.setMessageContext(messageContext);
validatorParameters.setTokenStore(getTokenStore());
// validatorParameters.setKeyRequirements(keyRequirements);
validatorParameters.setTokenRequirements(tokenRequirements);
ReceivedToken validateTarget = tokenRequirements.getValidateTarget();
if (validateTarget == null || validateTarget.getToken() == null) {
throw new STSException("No element presented for validation", STSException.INVALID_REQUEST);
}
validatorParameters.setToken(validateTarget);
if (tokenRequirements.getTokenType() == null) {
tokenRequirements.setTokenType(STSConstants.STATUS);
LOG.fine("Received TokenType is null, falling back to default token type: " + STSConstants.STATUS);
}
// Get the realm of the request
String realm = null;
if (stsProperties.getRealmParser() != null) {
RealmParser realmParser = stsProperties.getRealmParser();
realm = realmParser.parseRealm(messageContext);
}
validatorParameters.setRealm(realm);
TokenValidatorResponse tokenResponse = validateReceivedToken(principal, messageContext, realm, tokenRequirements, validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle this token");
tokenResponse = new TokenValidatorResponse();
validateTarget.setState(STATE.INVALID);
tokenResponse.setToken(validateTarget);
}
//
// Create a new token (if requested)
//
TokenProviderResponse tokenProviderResponse = null;
String tokenType = tokenRequirements.getTokenType();
if (tokenResponse.getToken().getState() == STATE.VALID && !STSConstants.STATUS.equals(tokenType)) {
TokenProviderParameters providerParameters = createTokenProviderParameters(requestRequirements, principal, messageContext);
processValidToken(providerParameters, validateTarget, tokenResponse);
// Check if the requested claims can be handled by the configured claim handlers
providerParameters.setClaimsManager(claimsManager);
Map<String, Object> additionalProperties = tokenResponse.getAdditionalProperties();
if (additionalProperties != null) {
providerParameters.setAdditionalProperties(additionalProperties);
}
realm = providerParameters.getRealm();
for (TokenProvider tokenProvider : tokenProviders) {
final boolean canHandle;
if (realm == null) {
canHandle = tokenProvider.canHandleToken(tokenType);
} else {
canHandle = tokenProvider.canHandleToken(tokenType, realm);
}
if (canHandle) {
try {
tokenProviderResponse = tokenProvider.createToken(providerParameters);
} catch (STSException ex) {
LOG.log(Level.WARNING, "", ex);
throw ex;
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in providing a token", ex, STSException.REQUEST_FAILED);
}
break;
}
}
if (tokenProviderResponse == null || tokenProviderResponse.getToken() == null) {
LOG.fine("No Token Provider has been found that can handle this token");
throw new STSException("No token provider found for requested token type: " + tokenType, STSException.REQUEST_FAILED);
}
}
// prepare response
try {
RequestSecurityTokenResponseType response = createResponse(tokenResponse, tokenProviderResponse, tokenRequirements);
STSValidateSuccessEvent event = new STSValidateSuccessEvent(validatorParameters, System.currentTimeMillis() - start);
publishEvent(event);
cleanRequest(requestRequirements);
return response;
} catch (Throwable ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating the response", ex, STSException.REQUEST_FAILED);
}
} catch (RuntimeException ex) {
STSValidateFailureEvent event = new STSValidateFailureEvent(validatorParameters, System.currentTimeMillis() - start, ex);
publishEvent(event);
throw ex;
}
}
use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.
the class TokenValidateOperation method createResponse.
protected RequestSecurityTokenResponseType createResponse(TokenValidatorResponse tokenResponse, TokenProviderResponse tokenProviderResponse, TokenRequirements tokenRequirements) throws WSSecurityException {
RequestSecurityTokenResponseType response = QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponseType();
String context = tokenRequirements.getContext();
if (context != null) {
response.setContext(context);
}
// TokenType
boolean valid = tokenResponse.getToken().getState() == STATE.VALID;
String tokenType = tokenRequirements.getTokenType();
if (valid || STSConstants.STATUS.equals(tokenType)) {
JAXBElement<String> jaxbTokenType = QNameConstants.WS_TRUST_FACTORY.createTokenType(tokenType);
response.getAny().add(jaxbTokenType);
}
// Status
StatusType statusType = QNameConstants.WS_TRUST_FACTORY.createStatusType();
if (valid) {
statusType.setCode(STSConstants.VALID_CODE);
statusType.setReason(STSConstants.VALID_REASON);
} else {
statusType.setCode(STSConstants.INVALID_CODE);
statusType.setReason(STSConstants.INVALID_REASON);
}
JAXBElement<StatusType> status = QNameConstants.WS_TRUST_FACTORY.createStatus(statusType);
response.getAny().add(status);
// RequestedSecurityToken
if (valid && !STSConstants.STATUS.equals(tokenType) && tokenProviderResponse != null && tokenProviderResponse.getToken() != null) {
RequestedSecurityTokenType requestedTokenType = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityTokenType();
JAXBElement<RequestedSecurityTokenType> requestedToken = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType);
tokenWrapper.wrapToken(tokenProviderResponse.getToken(), requestedTokenType);
response.getAny().add(requestedToken);
// Lifetime
if (includeLifetimeElement) {
LifetimeType lifetime = createLifetime(tokenProviderResponse.getCreated(), tokenProviderResponse.getExpires());
JAXBElement<LifetimeType> lifetimeType = QNameConstants.WS_TRUST_FACTORY.createLifetime(lifetime);
response.getAny().add(lifetimeType);
}
if (returnReferences) {
// RequestedAttachedReference
TokenReference attachedReference = tokenProviderResponse.getAttachedReference();
final RequestedReferenceType requestedAttachedReferenceType;
if (attachedReference != null) {
requestedAttachedReferenceType = createRequestedReference(attachedReference, true);
} else {
requestedAttachedReferenceType = createRequestedReference(tokenProviderResponse.getTokenId(), tokenRequirements.getTokenType(), true);
}
JAXBElement<RequestedReferenceType> requestedAttachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedAttachedReference(requestedAttachedReferenceType);
response.getAny().add(requestedAttachedReference);
// RequestedUnattachedReference
TokenReference unAttachedReference = tokenProviderResponse.getUnAttachedReference();
final RequestedReferenceType requestedUnattachedReferenceType;
if (unAttachedReference != null) {
requestedUnattachedReferenceType = createRequestedReference(unAttachedReference, false);
} else {
requestedUnattachedReferenceType = createRequestedReference(tokenProviderResponse.getTokenId(), tokenRequirements.getTokenType(), false);
}
JAXBElement<RequestedReferenceType> requestedUnattachedReference = QNameConstants.WS_TRUST_FACTORY.createRequestedUnattachedReference(requestedUnattachedReferenceType);
response.getAny().add(requestedUnattachedReference);
}
}
return response;
}
use of org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType in project cxf by apache.
the class STSRESTTest method testExplicitlyIssueSAML2TokenViaPOST.
@org.junit.Test
public void testExplicitlyIssueSAML2TokenViaPOST() throws Exception {
WebClient client = webClient().query("action", "issue").type(MediaType.APPLICATION_XML).accept(MediaType.APPLICATION_XML);
// Create RequestSecurityToken
W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
writer.writeStartElement("wst", "RequestSecurityToken", WST_NS_05_12);
writer.writeStartElement("wst", "RequestType", WST_NS_05_12);
writer.writeCharacters(WST_NS_05_12 + "/Issue");
writer.writeEndElement();
writer.writeStartElement("wst", "TokenType", WST_NS_05_12);
writer.writeCharacters(SAML2_TOKEN_TYPE);
writer.writeEndElement();
writer.writeEndElement();
RequestSecurityTokenResponseType securityResponse = client.post(new DOMSource(writer.getDocument().getDocumentElement()), RequestSecurityTokenResponseType.class);
validateSAMLSecurityTokenResponse(securityResponse, true);
}
Aggregations