Example 1 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class STSTokenRetriever method renewToken.
private static SecurityToken renewToken(Message message, SecurityToken tok, TokenRequestParams params, STSTokenCacher tokenCacher) {
String imminentExpiryValue = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_IMMINENT_EXPIRY_VALUE, message);
long imminentExpiry = 10L;
if (imminentExpiryValue != null) {
imminentExpiry = Long.parseLong(imminentExpiryValue);
}
// If the token has not expired then we don't need to renew it
if (!(tok.isExpired() || tok.isAboutToExpire(imminentExpiry))) {
return tok;
}
// Remove token from cache
try {
tokenCacher.removeToken(message, tok);
} catch (TokenStoreException ex) {
throw new Fault(ex);
}
// If the user has explicitly disabled Renewing then we can't renew a token,
// so just get a new one
STSClient client = STSUtils.getClientWithIssuer(message, "sts", params.getIssuer());
if (!client.isAllowRenewing()) {
return getToken(message, params, tokenCacher);
}
synchronized (client) {
try {
Map<String, Object> ctx = client.getRequestContext();
mapSecurityProps(message, ctx);
client.setMessage(message);
String addressingNamespace = getAddressingNamespaceURI(message);
if (addressingNamespace != null) {
client.setAddressingNamespace(addressingNamespace);
}
client.setTrust(params.getTrust10());
client.setTrust(params.getTrust13());
client.setTemplate(params.getTokenTemplate());
return client.renewSecurityToken(tok);
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "Error renewing a token", ex);
boolean issueAfterFailedRenew = SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true);
if (issueAfterFailedRenew) {
// Perhaps the STS does not support renewing, so try to issue a new token
return getToken(message, params, tokenCacher);
}
throw ex;
} catch (Exception ex) {
LOG.log(Level.WARNING, "Error renewing a token", ex);
boolean issueAfterFailedRenew = SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, message, true);
if (issueAfterFailedRenew) {
// Perhaps the STS does not support renewing, so try to issue a new token
return getToken(message, params, tokenCacher);
}
throw new Fault(ex);
} finally {
client.setTrust((Trust10) null);
client.setTrust((Trust13) null);
client.setTemplate(null);
client.setAddressingNamespace(null);
}
}
}
Also used :
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Example 2 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class SecureConversationOutInterceptor method handleMessage.
public void handleMessage(SoapMessage message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
SecureConversationToken itok = (SecureConversationToken) ais.iterator().next().getAssertion();
try {
SecurityToken tok = (SecurityToken) message.getContextualProperty(SecurityConstants.TOKEN);
if (tok == null) {
String tokId = (String) message.getContextualProperty(SecurityConstants.TOKEN_ID);
if (tokId != null) {
tok = TokenStoreUtils.getTokenStore(message).getToken(tokId);
}
}
if (tok == null) {
tok = issueToken(message, aim, itok);
} else {
tok = renewToken(message, aim, tok, itok);
}
if (tok != null) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
message.getExchange().getEndpoint().put(SecurityConstants.TOKEN, tok);
message.getExchange().getEndpoint().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN, tok);
TokenStoreUtils.getTokenStore(message).add(tok);
}
PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
} catch (TokenStoreException ex) {
throw new Fault(ex);
}
} else {
// server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 3 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class SpnegoContextTokenOutInterceptor method handleMessage.
public void handleMessage(SoapMessage message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
String tokId = (String) message.getContextualProperty(SecurityConstants.TOKEN_ID);
SecurityToken tok = null;
try {
if (tokId != null) {
tok = TokenStoreUtils.getTokenStore(message).getToken(tokId);
if (tok != null && tok.isExpired()) {
message.getExchange().getEndpoint().remove(SecurityConstants.TOKEN_ID);
message.getExchange().remove(SecurityConstants.TOKEN_ID);
TokenStoreUtils.getTokenStore(message).remove(tokId);
tok = null;
}
}
if (tok == null) {
tok = issueToken(message, aim);
}
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
message.getExchange().getEndpoint().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId());
TokenStoreUtils.getTokenStore(message).add(tok);
} catch (TokenStoreException ex) {
throw new Fault(ex);
}
} else {
// server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 4 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class KerberosTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
for (WSSecurityEngineResult kerberosResult : kerberosResults) {
KerberosSecurity kerberosToken = (KerberosSecurity) kerberosResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
boolean asserted = true;
for (AssertionInfo ai : ais) {
KerberosToken kerberosTokenPolicy = (KerberosToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(kerberosTokenPolicy, parameters.getAssertionInfoMap());
if (!isTokenRequired(kerberosTokenPolicy, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
continue;
}
if (!checkToken(parameters.getAssertionInfoMap(), kerberosTokenPolicy, kerberosToken)) {
asserted = false;
ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
continue;
}
}
if (asserted) {
SecurityToken token = createSecurityToken(kerberosToken);
token.setSecret((byte[]) kerberosResult.get(WSSecurityEngineResult.TAG_SECRET));
try {
TokenStoreUtils.getTokenStore(parameters.getMessage()).add(token);
} catch (TokenStoreException ex) {
LOG.warning(ex.getMessage());
}
parameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
return;
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
QName(javax.xml.namespace.QName)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 5 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class AsymmetricBindingHandler method handleBinding.
public void handleBinding() {
WSSecTimestamp timestamp = createTimestamp();
handleLayout(timestamp);
assertPolicy(abinding.getName());
if (abinding.getProtectionOrder() == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
try {
doEncryptBeforeSign();
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} catch (TokenStoreException ex) {
throw new Fault(ex);
}
} else {
doSignBeforeEncrypt();
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
reshuffleTimestamp();
assertAlgorithmSuite(abinding.getAlgorithmSuite());
assertWSSProperties(abinding.getName().getNamespaceURI());
assertTrustProperties(abinding.getName().getNamespaceURI());
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
}
Also used :
QName(javax.xml.namespace.QName)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
WSSecTimestamp(org.apache.wss4j.dom.message.WSSecTimestamp)
Aggregations
TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)15
Fault (org.apache.cxf.interceptor.Fault)10
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)7
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)6
SOAPException (javax.xml.soap.SOAPException)5
QName (javax.xml.namespace.QName)4
InvalidCanonicalizerException (org.apache.xml.security.c14n.InvalidCanonicalizerException)4
Element (org.w3c.dom.Element)4
XMLStreamException (javax.xml.stream.XMLStreamException)3
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)3
AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)3
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)3
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)3
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)3
SamlToken (org.apache.wss4j.policy.model.SamlToken)3
LinkedList (java.util.LinkedList)2
CallbackHandler (javax.security.auth.callback.CallbackHandler)2
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)2
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)2
Crypto (org.apache.wss4j.common.crypto.Crypto)2
