Example 41 with SecurityToken
use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project cxf by apache.
the class STSTokenRetriever method getToken.
public static SecurityToken getToken(Message message, TokenRequestParams params, STSTokenCacher tokenCacher) {
Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_APPLIES_TO, message);
String appliesTo = o == null ? null : o.toString();
if (appliesTo == null) {
String endpointAddress = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
// Strip out any query parameters if they exist
int query = endpointAddress.indexOf('?');
if (query > 0) {
endpointAddress = endpointAddress.substring(0, query);
}
appliesTo = endpointAddress;
}
STSClient client = STSUtils.getClientWithIssuer(message, "sts", params.getIssuer());
synchronized (client) {
try {
client.setMessage(message);
// Transpose ActAs/OnBehalfOf info from original request to the STS client.
Object token = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ACT_AS, message);
if (token != null) {
client.setActAs(token);
}
token = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ON_BEHALF_OF, message);
if (token != null) {
client.setOnBehalfOf(token);
}
boolean enableAppliesTo = client.isEnableAppliesTo();
Element onBehalfOfToken = client.getOnBehalfOfToken();
Element actAsToken = client.getActAsToken();
String key = appliesTo;
if (!enableAppliesTo || key == null || key.isEmpty()) {
key = ASSOCIATED_TOKEN;
}
boolean cacheToken = isCachedTokenFromEndpoint(message, onBehalfOfToken, actAsToken);
// Try to retrieve a cached token from the message
SecurityToken secToken = tokenCacher.retrieveToken(message, cacheToken);
// Otherwise try to get a cached token corresponding to the delegation token
if (secToken == null && onBehalfOfToken != null) {
secToken = tokenCacher.retrieveToken(message, onBehalfOfToken, key);
}
if (secToken == null && actAsToken != null) {
secToken = tokenCacher.retrieveToken(message, actAsToken, key);
}
if (secToken != null) {
// Check to see whether the token needs to be renewed
secToken = renewToken(message, secToken, params, tokenCacher);
} else {
secToken = getTokenFromSTS(message, client, appliesTo, params);
}
if (secToken != null) {
tokenCacher.storeToken(message, onBehalfOfToken, secToken.getId(), key);
tokenCacher.storeToken(message, actAsToken, secToken.getId(), key);
tokenCacher.storeToken(message, secToken, cacheToken);
}
return secToken;
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new Fault(e);
} finally {
client.setTrust((Trust10) null);
client.setTrust((Trust13) null);
client.setTemplate(null);
client.setAddressingNamespace(null);
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Element(org.w3c.dom.Element)
Fault(org.apache.cxf.interceptor.Fault)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Example 42 with SecurityToken
use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project cxf by apache.
the class STSTokenValidator method validateWithSTS.
public Credential validateWithSTS(Credential credential, Message message) throws WSSecurityException {
try {
SecurityToken token = new SecurityToken();
Element tokenElement = null;
int hash = 0;
if (credential.getSamlAssertion() != null) {
SamlAssertionWrapper assertion = credential.getSamlAssertion();
byte[] signatureValue = assertion.getSignatureValue();
if (signatureValue != null && signatureValue.length > 0) {
hash = Arrays.hashCode(signatureValue);
}
tokenElement = credential.getSamlAssertion().getElement();
} else if (credential.getUsernametoken() != null) {
tokenElement = credential.getUsernametoken().getElement();
hash = credential.getUsernametoken().hashCode();
} else if (credential.getBinarySecurityToken() != null) {
tokenElement = credential.getBinarySecurityToken().getElement();
hash = credential.getBinarySecurityToken().hashCode();
} else if (credential.getSecurityContextToken() != null) {
tokenElement = credential.getSecurityContextToken().getElement();
hash = credential.getSecurityContextToken().hashCode();
}
token.setToken(tokenElement);
TokenStore ts = null;
if (!disableCaching) {
ts = getTokenStore(message);
if (ts == null) {
ts = tokenStore;
}
if (ts != null && hash != 0) {
SecurityToken transformedToken = getTransformedToken(ts, hash);
if (transformedToken != null && !transformedToken.isExpired()) {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
credential.setTransformedToken(assertion);
return credential;
}
}
}
token.setTokenHash(hash);
STSClient c = stsClient;
if (c == null) {
c = STSUtils.getClient(message, "sts");
}
synchronized (c) {
System.setProperty("noprint", "true");
final SecurityToken returnedToken;
if (useIssueBinding && useOnBehalfOf) {
ElementCallbackHandler callbackHandler = new ElementCallbackHandler(tokenElement);
c.setOnBehalfOf(callbackHandler);
returnedToken = c.requestSecurityToken();
c.setOnBehalfOf(null);
} else if (useIssueBinding && !useOnBehalfOf && credential.getUsernametoken() != null) {
c.getProperties().put(SecurityConstants.USERNAME, credential.getUsernametoken().getName());
c.getProperties().put(SecurityConstants.PASSWORD, credential.getUsernametoken().getPassword());
returnedToken = c.requestSecurityToken();
c.getProperties().remove(SecurityConstants.USERNAME);
c.getProperties().remove(SecurityConstants.PASSWORD);
} else {
List<SecurityToken> tokens = c.validateSecurityToken(token);
returnedToken = tokens.get(0);
}
if (returnedToken != token) {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken());
credential.setTransformedToken(assertion);
credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
if (!disableCaching && hash != 0 && ts != null) {
ts.add(returnedToken);
token.setTransformedTokenIdentifier(returnedToken.getId());
ts.add(Integer.toString(hash), token);
}
}
return credential;
}
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity");
}
}
Also used :
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
List(java.util.List)
TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
Example 43 with SecurityToken
use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project cxf by apache.
the class STSTokenOutInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
if (stsClient != null) {
message.put(SecurityConstants.STS_CLIENT, stsClient);
}
SecurityToken tok = STSTokenRetriever.getToken(message, tokenParams, tokenCacher);
if (tok == null) {
LOG.warning("Security token was not retrieved from STS");
}
processToken(message, tok);
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Example 44 with SecurityToken
use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project cxf by apache.
the class SecureConversationOutInterceptor method handleMessage.
public void handleMessage(SoapMessage message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
SecureConversationToken itok = (SecureConversationToken) ais.iterator().next().getAssertion();
try {
SecurityToken tok = (SecurityToken) message.getContextualProperty(SecurityConstants.TOKEN);
if (tok == null) {
String tokId = (String) message.getContextualProperty(SecurityConstants.TOKEN_ID);
if (tokId != null) {
tok = TokenStoreUtils.getTokenStore(message).getToken(tokId);
}
}
if (tok == null) {
tok = issueToken(message, aim, itok);
} else {
tok = renewToken(message, aim, tok, itok);
}
if (tok != null) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
message.getExchange().getEndpoint().put(SecurityConstants.TOKEN, tok);
message.getExchange().getEndpoint().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN, tok);
TokenStoreUtils.getTokenStore(message).add(tok);
}
PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
} catch (TokenStoreException ex) {
throw new Fault(ex);
}
} else {
// server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 45 with SecurityToken
use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project cxf by apache.
the class SpnegoContextTokenOutInterceptor method handleMessage.
public void handleMessage(SoapMessage message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
String tokId = (String) message.getContextualProperty(SecurityConstants.TOKEN_ID);
SecurityToken tok = null;
try {
if (tokId != null) {
tok = TokenStoreUtils.getTokenStore(message).getToken(tokId);
if (tok != null && tok.isExpired()) {
message.getExchange().getEndpoint().remove(SecurityConstants.TOKEN_ID);
message.getExchange().remove(SecurityConstants.TOKEN_ID);
TokenStoreUtils.getTokenStore(message).remove(tokId);
tok = null;
}
}
if (tok == null) {
tok = issueToken(message, aim);
}
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
message.getExchange().getEndpoint().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId());
TokenStoreUtils.getTokenStore(message).add(tok);
} catch (TokenStoreException ex) {
throw new Fault(ex);
}
} else {
// server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Aggregations
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)187
Element (org.w3c.dom.Element)57
Test (org.junit.Test)47
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)35
Subject (ddf.security.Subject)32
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)28
SecurityAssertion (ddf.security.assertion.SecurityAssertion)27
QName (javax.xml.namespace.QName)26
Fault (org.apache.cxf.interceptor.Fault)23
SecurityManager (ddf.security.service.SecurityManager)22
TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)18
TokenStore (org.apache.cxf.ws.security.tokenstore.TokenStore)17
SOAPException (javax.xml.soap.SOAPException)16
Message (org.apache.cxf.message.Message)16
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)16
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)15
CollectionPermission (ddf.security.permission.CollectionPermission)14
Bus (org.apache.cxf.Bus)14
Document (org.w3c.dom.Document)14
ArrayList (java.util.ArrayList)13
